[Feature] Add secured contatiners' features (#1287)

Author: informalict

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## [master](https://github.com/arangodb/kube-arangodb/tree/master) (N/A)
 - (Feature) Backup lifetime - remove Backup once its lifetime has been reached
 - (Feature) Add Feature dependency
+- (Feature) Run secured containers as a feature
 
 ## [1.2.31](https://github.com/arangodb/kube-arangodb/tree/1.2.31) (2023-07-14)
 - (Improvement) Block traffic on the services if there is more than 1 active leader in ActiveFailover mode

README.md

@@ -68,11 +68,13 @@ covers individual newer features separately.
 | Graceful Restart                                                                     | 1.2.5            | >= 3.6.0         | Community, Enterprise | 1.0.7      | Production   | True    | --deployment.feature.graceful-shutdown                | N/A                                                                      |
 | Optional Graceful Restart                                                            | 1.2.25           | >= 3.6.0         | Community, Enterprise | 1.2.5      | Beta         | True    | --deployment.feature.optional-graceful-shutdown       | N/A                                                                      |
 | Operator Internal Metrics Exporter                                                   | 1.2.0            | >= 3.6.0         | Community, Enterprise | 1.2.0      | Production   | True    | --deployment.feature.metrics-exporter                 | N/A                                                                      |
-| Operator Ephemeral Volumes                                                           | 1.2.2            | >= 3.7.0         | Community, Enterprise | 1.2.2      | Alpha        | False   | --deployment.feature.ephemeral-volumes                | N/A                                                                      |
+| [Operator Ephemeral Volumes](docs/design/features/ephemeral_volumes.md)             | 1.2.2            | >= 3.7.0         | Community, Enterprise | 1.2.2      | Alpha        | False   | --deployment.feature.ephemeral-volumes                | N/A                                                                      |
+| [Operator Ephemeral Volumes](docs/design/features/ephemeral_volumes.md)              | 1.2.2            | >= 3.7.0         | Community, Enterprise | 1.2.31     | Beta         | False   | --deployment.feature.ephemeral-volumes                | N/A                                                                      |
 | [Failover Leader service](docs/design/features/failover_leader_service.md)           | 1.2.13           | >= 3.7.0         | Community, Enterprise | 1.2.13     | Production   | False   | --deployment.feature.failover-leadership              | N/A                                                                      |
 | [Spec Default Restore](docs/design/features/deployment_spec_defaults.md)             | 1.2.21           | >= 3.7.0         | Community, Enterprise | 1.2.21     | Beta         | True    | --deployment.feature.deployment-spec-defaults-restore | If set to False Operator will not change ArangoDeployment Spec           |
 | [Force Rebuild Out Synced Shards](docs/design/features/rebuild_out_synced_shards.md) | 1.2.27           | >= 3.8.0         | Community, Enterprise | 1.2.27     | Beta         | False   | --deployment.feature.force-rebuild-out-synced-shards  | It should be used only if user is aware of the risks.                    |
 | [Rebalancer V2](docs/design/features/rebalancer_v2.md)                               | 1.2.31           | >= 3.10.0        | Community, Enterprise | 1.2.31     | Alpha        | False   | --deployment.feature.rebalancer-v2                    | N/A                                                                      |
+| [Secured containers](docs/design/features/secured_containers.md)                     | 1.2.31           | >= 3.7.0         | Community, Enterprise | 1.2.31     | Alpha        | False   | --deployment.feature.secured-containers               | If set to True Operator will run containers in secure mode               |
 
 ## Operator Community Edition (CE)
 

docs/design/features/ephemeral_volumes.md

@@ -0,0 +1,20 @@
+# Operator Ephemeral Volumes
+
+## Overview
+
+Operator add 2 EmptyDir mounts to the ArangoDB Pods:
+
+- `ephemeral-apps` which is mounted under `/ephemeral/app` and passed to the ArangoDB process via `--javascript.app-path` arg
+- `ephemeral-tmp` which is mounted under `/ephemeral/tmp` and passed to the ArangoDB process via `--temp.path` arg
+
+This adds possibility to enable ReadOnly FileSystem via PodSecurityContext configuration.
+
+## How to use
+
+To enable this feature use `--deployment.feature.ephemeral-volumes` arg, which needs be passed to the operator:
+
+```shell
+helm upgrade --install kube-arangodb \
+https://github.com/arangodb/kube-arangodb/releases/download/$VER/kube-arangodb-$VER.tgz \
+  --set "operator.args={--deployment.feature.ephemeral-volumes}"
+```

docs/design/features/secured_containers.md

@@ -0,0 +1,28 @@
+# Secured Containers
+
+## Overview
+
+Change Default settings of:
+
+* PodSecurityContext
+  * `FSGroup` is set to `3000`
+* SecurityContext (Container)
+  * `RunAsUser` is set to `1000`
+  * `RunAsGroup` is set to `2000`
+  * `RunAsNonRoot` is set to `true`
+  * `ReadOnlyRootFilesystem` is set to `true`
+  * `Capabilities.Drop` is set to `["ALL"]`
+
+## Dependencies
+
+- [Operator Ephemeral Volumes](./ephemeral_volumes.md) should be Enabled and Supported. 
+
+## How to use
+
+To enable this feature use `--deployment.feature.secured-containers` arg, which needs be passed to the operator:
+
+```shell
+helm upgrade --install kube-arangodb \
+https://github.com/arangodb/kube-arangodb/releases/download/$VER/kube-arangodb-$VER.tgz \
+  --set "operator.args={--deployment.feature.secured-containers}"
+```

pkg/apis/deployment/v1/server_group_security_context_spec.go

@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+// Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -20,7 +20,17 @@
 
 package v1
 
-import core "k8s.io/api/core/v1"
+import (
+	core "k8s.io/api/core/v1"
+
+	"github.com/arangodb/kube-arangodb/pkg/util"
+)
+
+const (
+	defaultRunAsUser  = 1000
+	defaultRunAsGroup = 2000
+	defaultFSGroup    = 3000
+)
 
 // ServerGroupSpecSecurityContext contains specification for pod security context
 type ServerGroupSpecSecurityContext struct {
@@ -69,24 +79,31 @@ func (s *ServerGroupSpecSecurityContext) GetAddCapabilities() []core.Capability
 	return s.AddCapabilities
 }
 
-// NewSecurityContext creates new pod security context
-func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext() *core.PodSecurityContext {
-	if s == nil {
-		return nil
+// NewPodSecurityContext creates new pod security context
+func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext(secured bool) *core.PodSecurityContext {
+	var psc *core.PodSecurityContext
+	if s != nil && (s.FSGroup != nil || len(s.SupplementalGroups) > 0) {
+		psc = &core.PodSecurityContext{
+			SupplementalGroups: s.SupplementalGroups,
+			FSGroup:            s.FSGroup,
+		}
 	}
 
-	if s.FSGroup == nil && len(s.SupplementalGroups) == 0 {
-		return nil
-	}
+	if secured {
+		if psc == nil {
+			psc = &core.PodSecurityContext{}
+		}
 
-	return &core.PodSecurityContext{
-		SupplementalGroups: s.SupplementalGroups,
-		FSGroup:            s.FSGroup,
+		if psc.FSGroup == nil {
+			psc.FSGroup = util.NewType[int64](defaultFSGroup)
+		}
 	}
+
+	return psc
 }
 
 // NewSecurityContext creates new security context
-func (s *ServerGroupSpecSecurityContext) NewSecurityContext() *core.SecurityContext {
+func (s *ServerGroupSpecSecurityContext) NewSecurityContext(secured ...bool) *core.SecurityContext {
 	r := &core.SecurityContext{}
 
 	if s != nil {
@@ -115,6 +132,27 @@ func (s *ServerGroupSpecSecurityContext) NewSecurityContext() *core.SecurityCont
 		capabilities.Add = append(capabilities.Add, caps...)
 	}
 
+	if len(secured) > 0 && secured[0] {
+		if r.RunAsUser == nil {
+			r.RunAsUser = util.NewType[int64](defaultRunAsUser)
+		}
+		if r.RunAsGroup == nil {
+			r.RunAsGroup = util.NewType[int64](defaultRunAsGroup)
+		}
+		if r.RunAsNonRoot == nil {
+			r.RunAsNonRoot = util.NewType[bool](true)
+		}
+		if r.ReadOnlyRootFilesystem == nil {
+			r.ReadOnlyRootFilesystem = util.NewType[bool](true)
+		}
+
+		if capabilities.Drop == nil {
+			capabilities.Drop = []core.Capability{
+				"ALL",
+			}
+		}
+	}
+
 	r.Capabilities = capabilities
 
 	return r

pkg/apis/deployment/v1/server_group_security_context_spec_test.go

@@ -0,0 +1,176 @@
+//
+// DISCLAIMER
+//
+// Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package v1
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	core "k8s.io/api/core/v1"
+
+	"github.com/arangodb/kube-arangodb/pkg/util"
+)
+
+func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
+	testCases := map[string]struct {
+		sc      *ServerGroupSpecSecurityContext
+		secured bool
+		want    *core.PodSecurityContext
+	}{
+		"default unsecured pod security": {
+			sc:   nil,
+			want: nil,
+		},
+		"default secured pod security": {
+			sc:      nil,
+			secured: true,
+			want: &core.PodSecurityContext{
+				FSGroup: util.NewType[int64](defaultFSGroup),
+			},
+		},
+		"user secured pod security takes precedence": {
+			sc: &ServerGroupSpecSecurityContext{
+				FSGroup: util.NewType[int64](3001),
+			},
+			secured: true,
+			want: &core.PodSecurityContext{
+				FSGroup: util.NewType[int64](3001),
+			},
+		},
+		"user secured pod security with FSGroup==nil": {
+			sc: &ServerGroupSpecSecurityContext{
+				SupplementalGroups: []int64{1},
+			},
+			secured: true,
+			want: &core.PodSecurityContext{
+				FSGroup:            util.NewType[int64](defaultFSGroup),
+				SupplementalGroups: []int64{1},
+			},
+		},
+		"user unsecured pod security": {
+			sc: &ServerGroupSpecSecurityContext{
+				FSGroup:            util.NewType[int64](3001),
+				SupplementalGroups: []int64{1},
+			},
+			secured: false,
+			want: &core.PodSecurityContext{
+				FSGroup:            util.NewType[int64](3001),
+				SupplementalGroups: []int64{1},
+			},
+		},
+	}
+
+	for testName, testCase := range testCases {
+		t.Run(testName, func(t *testing.T) {
+			actual := testCase.sc.NewPodSecurityContext(testCase.secured)
+			assert.Equalf(t, testCase.want, actual, "NewPodSecurityContext(%v)", testCase.secured)
+		})
+	}
+}
+
+func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) {
+	tests := map[string]struct {
+		sc      *ServerGroupSpecSecurityContext
+		secured bool
+		want    *core.SecurityContext
+	}{
+		"default unsecured context security": {
+			sc:      nil,
+			secured: false,
+			want: &core.SecurityContext{
+				Capabilities: &core.Capabilities{
+					Drop: []core.Capability{"ALL"},
+				},
+			},
+		},
+		"default secured context security": {
+			sc:      nil,
+			secured: true,
+			want: &core.SecurityContext{
+				Capabilities: &core.Capabilities{
+					Drop: []core.Capability{"ALL"},
+				},
+				ReadOnlyRootFilesystem: util.NewType(true),
+				RunAsGroup:             util.NewType[int64](defaultRunAsGroup),
+				RunAsNonRoot:           util.NewType(true),
+				RunAsUser:              util.NewType[int64](defaultRunAsUser),
+			},
+		},
+		"user unsecured context security": {
+			sc: &ServerGroupSpecSecurityContext{
+				RunAsUser: util.NewType[int64](3001),
+			},
+			secured: false,
+			want: &core.SecurityContext{
+				Capabilities: &core.Capabilities{
+					Drop: []core.Capability{"ALL"},
+				},
+				RunAsUser: util.NewType[int64](3001),
+			},
+		},
+		"secured user setting RunAsUser takes precedence": {
+			sc: &ServerGroupSpecSecurityContext{
+				RunAsUser: util.NewType[int64](3001),
+			},
+			secured: true,
+			want: &core.SecurityContext{
+				Capabilities: &core.Capabilities{
+					Drop: []core.Capability{"ALL"},
+				},
+				ReadOnlyRootFilesystem: util.NewType(true),
+				RunAsGroup:             util.NewType[int64](defaultRunAsGroup),
+				RunAsNonRoot:           util.NewType(true),
+				RunAsUser:              util.NewType[int64](3001),
+			},
+		},
+		"secured mixed users' settings takes precedence": {
+			sc: &ServerGroupSpecSecurityContext{
+				AddCapabilities:          []core.Capability{"1"},
+				AllowPrivilegeEscalation: util.NewType(true),
+				DropAllCapabilities:      util.NewType(false), // secured will turn it on
+				Privileged:               util.NewType(false),
+				RunAsNonRoot:             util.NewType(false),
+				RunAsUser:                util.NewType[int64](3001),
+			},
+			secured: true,
+			want: &core.SecurityContext{
+
+				AllowPrivilegeEscalation: util.NewType(true),
+				Capabilities: &core.Capabilities{
+					Add:  []core.Capability{"1"},
+					Drop: []core.Capability{"ALL"},
+				},
+				Privileged:             util.NewType(false),
+				ReadOnlyRootFilesystem: util.NewType(true),
+				RunAsGroup:             util.NewType[int64](defaultRunAsGroup),
+				RunAsNonRoot:           util.NewType(false),
+				RunAsUser:              util.NewType[int64](3001),
+			},
+		},
+	}
+
+	for testName, testCase := range tests {
+		t.Run(testName, func(t *testing.T) {
+			actual := testCase.sc.NewSecurityContext(testCase.secured)
+			assert.Equalf(t, testCase.want, actual, "NewSecurityContext(%v)", testCase.secured)
+		})
+	}
+}