feat: add container security context settings (#183)

Jonathan Yu · web-flow · commit 799eebba649e · 2021-12-10T08:57:55.000-08:00
* Apply security context settings to containers as well as pod,
  so that users can safely override the pod security context
  without losing security of container security context (useful
  when using sidecar containers with different privileges)
* Add a default runAsGroup set to gid 1000
* Remove custom security context values data types in favor of
  built-in Kubernetes types
diff --git a/README.md b/README.md
@@ -25,26 +25,30 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa
 | certs | object | Certificate that will be mounted inside Coder services. | `{"secret":{"key":"","name":""}}` |
 | certs.secret.key | string | Key pointing to a certificate in the secret. | `""` |
 | certs.secret.name | string | Name of the secret. | `""` |
-| coderd | object | Primary service responsible for all things Coder! | `{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"builtinProviderServiceAccount":{"annotations":{},"labels":{}},"devurlsHost":"","image":"","oidc":{"enableRefresh":false,"redirectOptions":{}},"podSecurityContext":{"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"replicas":1,"resources":{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}},"satellite":{"accessURL":"","enable":false,"primaryURL":""},"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"seccompProfile":{"type":"RuntimeDefault"}},"serviceAnnotations":{},"serviceNodePorts":{"http":null,"https":null},"serviceSpec":{"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"},"superAdmin":{"passwordSecret":{"key":"password","name":""}},"tls":{"devurlsHostSecretName":"","hostSecretName":""},"trustProxyIP":false}` |
+| coderd | object | Primary service responsible for all things Coder! | `{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"builtinProviderServiceAccount":{"annotations":{},"labels":{}},"devurlsHost":"","image":"","oidc":{"enableRefresh":false,"redirectOptions":{}},"podSecurityContext":{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"replicas":1,"resources":{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}},"satellite":{"accessURL":"","enable":false,"primaryURL":""},"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"serviceAnnotations":{},"serviceNodePorts":{"http":null,"https":null},"serviceSpec":{"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"},"superAdmin":{"passwordSecret":{"key":"password","name":""}},"tls":{"devurlsHostSecretName":"","hostSecretName":""},"trustProxyIP":false}` |
 | coderd.affinity | object | Allows specifying an affinity rule for the `coderd` deployment. The default rule prefers to schedule coderd pods on different nodes, which is only applicable if coderd.replicas is greater than 1. | `{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}}` |
 | coderd.builtinProviderServiceAccount | object | Customize the built-in Kubernetes provider service account. | `{"annotations":{},"labels":{}}` |
 | coderd.builtinProviderServiceAccount.annotations | object | A KV mapping of annotations. See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | `{}` |
 | coderd.builtinProviderServiceAccount.labels | object | Add labels to the service account used for the built-in provider. | `{}` |
 | coderd.devurlsHost | string | Wildcard hostname to allow matching against custom-created dev URLs. Leaving as an empty string results in DevURLs being disabled. | `""` |
 | coderd.image | string | Injected by Coder during release. | `""` |
-| coderd.podSecurityContext | object | Fields related to the pod's security context (as opposed to the container). Some fields are also present in the container security context, which will take precedence over these values. | `{"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}` |
-| coderd.podSecurityContext.runAsNonRoot | bool | Requires that containers in the pod run as a non-privileged user. | `true` |
-| coderd.podSecurityContext.runAsUser | int | Sets the user id of the pod. This must not be set to root (uid 0). | `1000` |
+| coderd.podSecurityContext | object | Fields related to the pod's security context (as opposed to the container). Some fields are also present in the container security context, which will take precedence over these values. | `{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}` |
+| coderd.podSecurityContext.runAsGroup | int | Sets the group id of the pod. For security reasons, we recommend using a non-root group. | `1000` |
+| coderd.podSecurityContext.runAsNonRoot | bool | Requires that containers in the pod run as an unprivileged user. If setting runAsUser to 0 (root), this will need to be set to false. | `true` |
+| coderd.podSecurityContext.runAsUser | int | Sets the user id of the pod. For security reasons, we recommend using a non-root user. | `1000` |
 | coderd.podSecurityContext.seccompProfile | object | Sets the seccomp profile for the pod. If set, the container security context setting will take precedence over this value. | `{"type":"RuntimeDefault"}` |
 | coderd.replicas | int | The number of Kubernetes Pod replicas. | `1` |
 | coderd.resources | object | Kubernetes resource specification for coderd pods. To unset a value, set it to "". To unset all values, set resources to nil. | `{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}}` |
 | coderd.satellite | object | Deploy a satellite to geodistribute access to workspaces for lower latency. | `{"accessURL":"","enable":false,"primaryURL":""}` |
 | coderd.satellite.accessURL | string | URL of the satellite that clients will connect to. e.g. https://sydney.coder.myorg.com | `""` |
 | coderd.satellite.enable | bool | Run coderd as a satellite pointing to a primary deployment. Satellite enable low-latency access to workspaces all over the world. Read more: TODO: Link to docs. | `false` |
 | coderd.satellite.primaryURL | string | URL of the primary Coder deployment. Must be accessible from the satellite and clients. eg. https://coder.myorg.com | `""` |
-| coderd.securityContext | object | Fields related to the container's security context (as opposed to the pod). Some fields are also present in the pod security context, in which case these values will take precedence. | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"seccompProfile":{"type":"RuntimeDefault"}}` |
+| coderd.securityContext | object | Fields related to the container's security context (as opposed to the pod). Some fields are also present in the pod security context, in which case these values will take precedence. | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}` |
 | coderd.securityContext.allowPrivilegeEscalation | bool | Controls whether the container can gain additional privileges, such as escalating to root. It is recommended to leave this setting disabled in production. | `false` |
 | coderd.securityContext.readOnlyRootFilesystem | bool | Mounts the container's root filesystem as read-only. It is recommended to leave this setting enabled in production. This will override the same setting in the pod | `true` |
+| coderd.securityContext.runAsGroup | int | Sets the group id of the pod. For security reasons, we recommend using a non-root group. | `1000` |
+| coderd.securityContext.runAsNonRoot | bool | Requires that the coderd and migrations containers run as an unprivileged user. If setting runAsUser to 0 (root), this will need to be set to false. | `true` |
+| coderd.securityContext.runAsUser | int | Sets the user id of the pod. For security reasons, we recommend using a non-root user. | `1000` |
 | coderd.securityContext.seccompProfile | object | Sets the seccomp profile for the migration and runtime containers. | `{"type":"RuntimeDefault"}` |
 | coderd.serviceAnnotations | object | Extra annotations to apply to the coderd service. | `{}` |
 | coderd.serviceNodePorts | object | Allows manually setting static node ports for the coderd service. This is only helpful if static ports are required, and usually should be left alone. By default these are dynamically chosen. | `{"http":null,"https":null}` |
diff --git a/examples/kind/kind.values.yaml b/examples/kind/kind.values.yaml
@@ -4,13 +4,6 @@ coderd:
     # Avoid provisioning a LoadBalancer
     type: ClusterIP
 
-  # Set the container security context (by default, this inherits
-  # the settings from the pod security context)
-  securityContext:
-    runAsNonRoot: true
-    runAsUser: 1000
-    runAsGroup: 1000
-
   # Reduce resource requirements for deployments using kind, which
   # we typically use for development and test purposes only.
   resources:
diff --git a/tests/examples_test.go b/tests/examples_test.go
@@ -46,7 +46,7 @@ func TestExamples(t *testing.T) {
 			ContainerSecurityContext: &corev1.SecurityContext{
 				RunAsUser:                nil,
 				RunAsGroup:               nil,
-				RunAsNonRoot:             nil,
+				RunAsNonRoot:             pointer.Bool(true),
 				Capabilities:             nil,
 				Privileged:               nil,
 				SELinuxOptions:           nil,
@@ -62,6 +62,7 @@ func TestExamples(t *testing.T) {
 			Values: exampleKind,
 			PodSecurityContext: &corev1.PodSecurityContext{
 				RunAsUser:    pointer.Int64(1000),
+				RunAsGroup:   pointer.Int64(1000),
 				RunAsNonRoot: pointer.Bool(true),
 				SeccompProfile: &corev1.SeccompProfile{
 					Type: corev1.SeccompProfileTypeRuntimeDefault,
@@ -89,13 +90,17 @@ func TestExamples(t *testing.T) {
 	var (
 		defaultPsp = &corev1.PodSecurityContext{
 			RunAsUser:    pointer.Int64(1000),
+			RunAsGroup:   pointer.Int64(1000),
 			RunAsNonRoot: pointer.Bool(true),
 			SeccompProfile: &corev1.SeccompProfile{
 				Type: corev1.SeccompProfileTypeRuntimeDefault,
 			},
 		}
 
 		defaultCsc = &corev1.SecurityContext{
+			RunAsUser:                pointer.Int64(1000),
+			RunAsGroup:               pointer.Int64(1000),
+			RunAsNonRoot:             pointer.Bool(true),
 			ReadOnlyRootFilesystem:   pointer.Bool(true),
 			AllowPrivilegeEscalation: pointer.Bool(false),
 			SeccompProfile: &corev1.SeccompProfile{
diff --git a/tests/values.go b/tests/values.go
@@ -82,8 +82,8 @@ type CoderdValues struct {
 	DevURLsHost                   *string                                    `json:"devurlsHost" yaml:"devurlsHost"`
 	TLS                           *CoderdTLSValues                           `json:"tls" yaml:"tls"`
 	Satellite                     *CoderdSatelliteValues                     `json:"satellite" yaml:"satellite"`
-	PodSecurityContext            *CoderdPodSecurityContextValues            `json:"podSecurityContext" yaml:"podSecurityContext"`
-	SecurityContext               *CoderdSecurityContextValues               `json:"securityContext" yaml:"securityContext"`
+	PodSecurityContext            *corev1.PodSecurityContext                 `json:"podSecurityContext" yaml:"podSecurityContext"`
+	SecurityContext               *corev1.SecurityContext                    `json:"securityContext" yaml:"securityContext"`
 	Resources                     *corev1.ResourceRequirements               `json:"resources" yaml:"resources"`
 	BuiltinProviderServiceAccount *CoderdBuiltinProviderServiceAccountValues `json:"builtinProviderServiceAccount" yaml:"builtinProviderServiceAccount"`
 	OIDC                          *CoderdOIDCValues                          `json:"oidc" yaml:"oidc"`
@@ -147,22 +147,6 @@ type CoderdServiceSpecValues struct {
 	LoadBalancerSourceRanges *[]string                                `json:"loadBalancerSourceRanges" yaml:"loadBalancerSourceRanges"`
 }
 
-// CoderdPodSecurityContextValues reflect values from
-// coderd.podSecurityContext.
-type CoderdPodSecurityContextValues struct {
-	RunAsNonRoot   *bool                  `json:"runAsNonRoot" yaml:"runAsNonRoot"`
-	RunAsUser      *int                   `json:"runAsUser" yaml:"runAsUser"`
-	SeccompProfile *corev1.SeccompProfile `json:"seccompProfile" yaml:"seccompProfile"`
-}
-
-// CoderdSecurityContextValues reflect values from
-// coderd.securityContext.
-type CoderdSecurityContextValues struct {
-	ReadOnlyRootFilesystem   *bool                  `json:"readOnlyRootFilesystem" yaml:"readOnlyRootFilesystem"`
-	AllowPrivilegeEscalation *bool                  `json:"allowPrivilegeEscalation" yaml:"allowPrivilegeEscalation"`
-	SeccompProfile           *corev1.SeccompProfile `json:"seccompProfile" yaml:"seccompProfile"`
-}
-
 // EnvboxValues reflect values from envbox.
 type EnvboxValues struct {
 	Image *string `json:"image" yaml:"image"`
diff --git a/values.yaml b/values.yaml
@@ -76,11 +76,15 @@ coderd:
   # container security context, which will take precedence over these values.
   podSecurityContext:
     # coderd.podSecurityContext.runAsNonRoot -- Requires that containers in
-    # the pod run as a non-privileged user.
+    # the pod run as an unprivileged user. If setting runAsUser to 0 (root),
+    # this will need to be set to false.
     runAsNonRoot: true
     # coderd.podSecurityContext.runAsUser -- Sets the user id of the pod.
-    # This must not be set to root (uid 0).
+    # For security reasons, we recommend using a non-root user.
     runAsUser: 1000
+    # coderd.podSecurityContext.runAsGroup -- Sets the group id of the pod.
+    # For security reasons, we recommend using a non-root group.
+    runAsGroup: 1000
     # coderd.podSecurityContext.seccompProfile -- Sets the seccomp profile
     # for the pod. If set, the container security context setting will take
     # precedence over this value.
@@ -91,6 +95,16 @@ coderd:
   # context (as opposed to the pod). Some fields are also present in the pod
   # security context, in which case these values will take precedence.
   securityContext:
+    # coderd.securityContext.runAsNonRoot -- Requires that the coderd and
+    # migrations containers run as an unprivileged user. If setting
+    # runAsUser to 0 (root), this will need to be set to false.
+    runAsNonRoot: true
+    # coderd.securityContext.runAsUser -- Sets the user id of the pod.
+    # For security reasons, we recommend using a non-root user.
+    runAsUser: 1000
+    # coderd.securityContext.runAsGroup -- Sets the group id of the pod.
+    # For security reasons, we recommend using a non-root group.
+    runAsGroup: 1000
     # coderd.securityContext.readOnlyRootFilesystem -- Mounts the container's
     # root filesystem as read-only. It is recommended to leave this setting
     # enabled in production. This will override the same setting in the pod
