Merge pull request #34 from tenable/user/moshe/os

K8s | Add security constraints to better support OpenShift clusters
tenable · Sep 22, 2024 · f817953 · f817953
2 parents 669bb7d + 3f25e3e
commit f817953
Show file tree

Hide file tree

Showing 10 changed files with 73 additions and 26 deletions.
diff --git a/charts/cloud-security/kubernetes-cluster/templates/hook-post-delete-job.yaml b/charts/cloud-security/kubernetes-cluster/templates/hook-post-delete-job.yaml
@@ -55,9 +55,7 @@ spec:
       restartPolicy: Never
       securityContext:
         runAsNonRoot: true
-        {{- if not (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") }}
         runAsUser: 1000
-        {{- end }}
         seccompProfile:
           type: RuntimeDefault
       {{- with .Values.containerImagePullSecrets }}
@@ -75,6 +73,6 @@ spec:
 {{ $annotations := 
   list 
   "helm.sh/hook: post-delete"
-  "helm.sh/hook-delete-policy: hook-failed, before-hook-creation, hook-succeeded"
+  "helm.sh/hook-delete-policy: before-hook-creation, hook-failed, hook-succeeded"
   "helm.sh/hook-weight: \"-1\"" }}
 {{ include "apiKeyTokenSecret" (dict "name" (print .Values.resourceNamePrefix "-post-delete-secret") "root" . "annotations" $annotations) }}
diff --git a/charts/cloud-security/kubernetes-cluster/templates/hook-pre-install-job.yaml b/charts/cloud-security/kubernetes-cluster/templates/hook-pre-install-job.yaml
@@ -70,9 +70,7 @@ spec:
       restartPolicy: Never
       securityContext:
         runAsNonRoot: true
-        {{- if not (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") }}
         runAsUser: 1000
-        {{- end }}
         seccompProfile:
           type: RuntimeDefault
       serviceAccountName: {{ .Values.resourceNamePrefix }}-pre-install-service-account
@@ -86,6 +84,6 @@ spec:
 {{ $annotations :=
   list
   "helm.sh/hook: pre-install, pre-upgrade"
-  "helm.sh/hook-delete-policy: hook-failed, before-hook-creation, hook-succeeded" 
+  "helm.sh/hook-delete-policy: before-hook-creation, hook-failed, hook-succeeded" 
   "helm.sh/hook-weight: \"-1\"" }}
 {{ include "apiKeyTokenSecret" (dict "name" (print .Values.resourceNamePrefix "-pre-install-secret") "root" . "annotations" $annotations) }}
diff --git a/charts/cloud-security/kubernetes-cluster/templates/hook-security-context-constraints.yaml b/charts/cloud-security/kubernetes-cluster/templates/hook-security-context-constraints.yaml
@@ -0,0 +1,26 @@
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    {{- include "annotations" . | nindent 4 }}
+    helm.sh/hook: pre-install, pre-upgrade, post-delete
+    helm.sh/hook-delete-policy: before-hook-creation, hook-failed, hook-succeeded
+    helm.sh/hook-weight: "-1"
+  labels:
+    {{- include "labels" . | nindent 4 }}
+  name: {{ include "globalResourceName" (dict "name" "hook-scc" "root" .) }}
+runAsUser:
+  type: MustRunAsRange
+  uidRangeMin: 1000
+  uidRangeMax: 1000
+seLinuxContext:
+  type: RunAsAny
+seccompProfiles:
+  - '*'
+volumes:
+  - secret
+users:
+  - system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.resourceNamePrefix }}-post-delete-service-account
+  - system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.resourceNamePrefix }}-pre-install-service-account
+{{- end }}
diff --git a/charts/cloud-security/kubernetes-cluster/templates/security-context-constraints.yaml b/charts/cloud-security/kubernetes-cluster/templates/security-context-constraints.yaml
@@ -0,0 +1,25 @@
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    {{- include "annotations" . | nindent 4 }}
+  labels:
+    {{- include "labels" . | nindent 4 }}
+  name: {{ include "globalResourceName" (dict "name" "scc" "root" .) }}
+runAsUser:
+  type: MustRunAsRange
+  uidRangeMin: 1000
+  uidRangeMax: 1000
+seLinuxContext:
+  type: RunAsAny
+seccompProfiles:
+  - '*'
+volumes:
+  - secret
+users:
+  {{- if .Values.connector.enabled }}
+  - system:serviceaccount:{{ .Release.Namespace }}:{{ include "connector.resourceNamePrefix" . }}-service-account
+  {{- end}}
+  - system:serviceaccount:{{ .Release.Namespace }}:{{ include "updater.resourceNamePrefix" . }}-service-account
+{{- end }}
diff --git a/charts/cloud-security/kubernetes-cluster/templates/sensor/security-context-constraints.yaml b/charts/cloud-security/kubernetes-cluster/templates/sensor/security-context-constraints.yaml
@@ -7,7 +7,7 @@ metadata:
   labels:
     {{- include "labels" . | nindent 4 }}
     {{- include "sensor.labels" . | nindent 4 }}
-  name: {{ include "sensor.resourceNamePrefix" . }}-scc
+  name: {{ include "sensor.globalResourceName" (dict "name" "scc" "root" .) }}
 allowHostDirVolumePlugin: true
 allowHostIPC: true
 allowHostPID: true

diff --git a/index.yaml b/index.yaml
@@ -3,17 +3,17 @@ entries:
   cloud-security-endpoint-connector:
   - apiVersion: v2
     appVersion: 1.0.0
-    created: "2024-09-10T15:43:29.7210601+03:00"
+    created: "2024-09-22T13:53:34.3837496+03:00"
     description: Tenable Cloud Security endpoint connector
-    digest: 780cf7aa2320d71985e4f3e61cda217b8f417fc5e3220a0c3159f4b075d9a7b2
+    digest: 26f7942c47d1fa1c08a6467883ef419683841c561778366e40b005aab92d5891
     name: cloud-security-endpoint-connector
     type: application
     urls:
     - releases/cloud-security-endpoint-connector-1.0.1.tgz
     version: 1.0.1
   - apiVersion: v2
     appVersion: 1.0.0
-    created: "2024-09-10T15:43:29.720548+03:00"
+    created: "2024-09-22T13:53:34.3832278+03:00"
     description: Tenable Cloud Security endpoint connector
     digest: f76126432c5b731ba2c740261fa68df2cb76a0ec165d92ac63422069faba482d
     name: cloud-security-endpoint-connector
@@ -24,17 +24,17 @@ entries:
   cloud-security-kubernetes-cluster:
   - apiVersion: v2
     appVersion: 1.0.0
-    created: "2024-09-10T15:43:29.7220978+03:00"
+    created: "2024-09-22T13:53:34.3843145+03:00"
     description: Tenable Cloud Security Kubernetes cluster
-    digest: 632dd3aa7e364e7989ea77882f7b63b3313fc947d5377a8178c811cdd93fccaa
+    digest: 671785ee885c60403efdd03e81e436e4819d0c68d7008d2485780545a7547c55
     name: cloud-security-kubernetes-cluster
     type: application
     urls:
     - releases/cloud-security-kubernetes-cluster-1.0.1.tgz
     version: 1.0.1
   - apiVersion: v2
     appVersion: 1.0.0
-    created: "2024-09-10T15:43:29.7215873+03:00"
+    created: "2024-09-22T13:53:34.3842583+03:00"
     description: Tenable Cloud Security Kubernetes cluster
     digest: d3a10afef3c6ad775f3cf9ad1b6f23ee22adcf806f4d22ce7cfea08866cb02c7
     name: cloud-security-kubernetes-cluster
@@ -45,17 +45,17 @@ entries:
   cloud-security-kubernetes-cluster-connector:
   - apiVersion: v2
     appVersion: 1.4.0
-    created: "2024-09-10T15:43:29.7231282+03:00"
+    created: "2024-09-22T13:53:34.3853495+03:00"
     description: Tenable Cloud Security Kubernetes cluster connector
-    digest: d165c3b2288f570e69c28d87983dd8d3d537f484e862b4d6b104b1b6026ca0d5
+    digest: d842e00483a133f1b1fe7b0a2f48686de94d998bfc3e2ab335e187ff09b59e73
     name: cloud-security-kubernetes-cluster-connector
     type: application
     urls:
     - releases/cloud-security-kubernetes-cluster-connector-1.4.1.tgz
     version: 1.4.1
   - apiVersion: v2
     appVersion: 1.4.0
-    created: "2024-09-10T15:43:29.7226169+03:00"
+    created: "2024-09-22T13:53:34.3848174+03:00"
     description: Tenable Cloud Security Kubernetes cluster connector
     digest: 35536b2a177aa01db6a7b505b7f23a0047bc7c73fa74d57e4e8cc763717a40f6
     name: cloud-security-kubernetes-cluster-connector
@@ -66,9 +66,9 @@ entries:
   securitycenter:
   - apiVersion: v2
     appVersion: 6.4.0
-    created: "2024-09-10T15:43:29.7242241+03:00"
+    created: "2024-09-22T13:53:34.3864576+03:00"
     description: A Helm chart to deploy Tenable Security Center into Kubernetes clusters
-    digest: 43b55cf58581eae49feb1366a0bca6c4afe9ebb1df961fbedcdfc6abc3b56464
+    digest: c5e6f16434a5b1e848754b5137e01e7dcb2a5268412008cd8f04bae23330f6f4
     home: https://www.tenable.com
     maintainers:
     - email: [email protected]
@@ -82,7 +82,7 @@ entries:
     version: 1.2.0
   - apiVersion: v2
     appVersion: 6.3.0
-    created: "2024-09-10T15:43:29.7242241+03:00"
+    created: "2024-09-22T13:53:34.3858756+03:00"
     description: A Helm chart to deploy Tenable Security Center into Kubernetes clusters
     digest: 416c00aca31dc6505e6e9d6bc9791436bb3791077c06ea5d83b7f42b047b2947
     home: https://www.tenable.com
@@ -99,7 +99,7 @@ entries:
   tenable-endpoint-connector:
   - apiVersion: v2
     appVersion: 1.0.0
-    created: "2024-09-10T15:43:29.7253102+03:00"
+    created: "2024-09-22T13:53:34.387018+03:00"
     description: Tenable Cloud Security endpoint connector
     digest: 287c70490e944b4ab916afa430d3068dd41632f8e82f0a581ae32f423cdef5e2
     name: tenable-endpoint-connector
@@ -110,7 +110,7 @@ entries:
   tenable-kubernetes-cluster-connector:
   - apiVersion: v2
     appVersion: 1.3.0
-    created: "2024-09-10T15:43:29.7258124+03:00"
+    created: "2024-09-22T13:53:34.387018+03:00"
     description: Tenable Cloud Security Kubernetes cluster connector
     digest: 29b57f0eaf7e0532cc773bd00466665672ad9992d37680bcfe94bb36c125ced2
     name: tenable-kubernetes-cluster-connector
@@ -121,7 +121,7 @@ entries:
   tes-operator:
   - apiVersion: v2
     appVersion: 1.0.3
-    created: "2024-09-10T15:43:29.7301363+03:00"
+    created: "2024-09-22T13:53:34.3939531+03:00"
     description: Tenable Enclave Security operator
     digest: 3462f7c615c33b6425e18b02c64aa5d7ff86858ff14216e858bfad946eafa1b0
     name: tes-operator
@@ -131,7 +131,7 @@ entries:
     version: 1.0.3
   - apiVersion: v2
     appVersion: 1.0.2
-    created: "2024-09-10T15:43:29.7290807+03:00"
+    created: "2024-09-22T13:53:34.3929259+03:00"
     description: Tenable Enclave Security operator
     digest: 34eae1d86fb86480d53ee7927b86b1027e101cff82806e7772beab9bb3372d7d
     name: tes-operator
@@ -141,7 +141,7 @@ entries:
     version: 1.0.2
   - apiVersion: v2
     appVersion: 1.0.1
-    created: "2024-09-10T15:43:29.7280065+03:00"
+    created: "2024-09-22T13:53:34.3924139+03:00"
     description: Tenable Enclave Security operator
     digest: 05920b8d204c40af3f5c51c039f146099a9117532cf3a3b3d091c839837b4bbd
     name: tes-operator
@@ -151,12 +151,12 @@ entries:
     version: 1.0.1
   - apiVersion: v2
     appVersion: 1.0.0
-    created: "2024-09-10T15:43:29.7263231+03:00"
+    created: "2024-09-22T13:53:34.3875218+03:00"
     description: Tenable Enclave Security operator
     digest: 4281f28edc8c9e1224bb467365eb724ebe2a92266168be6c7e4c5b0fe9dfac20
     name: tes-operator
     type: application
     urls:
     - releases/tes-operator-1.0.0.tgz
     version: 1.0.0
-generated: "2024-09-10T15:43:29.7188828+03:00"
+generated: "2024-09-22T13:53:34.3827232+03:00"
diff --git a/releases/cloud-security-endpoint-connector-1.0.1.tgz b/releases/cloud-security-endpoint-connector-1.0.1.tgz
diff --git a/releases/cloud-security-kubernetes-cluster-1.0.1.tgz b/releases/cloud-security-kubernetes-cluster-1.0.1.tgz
diff --git a/releases/cloud-security-kubernetes-cluster-connector-1.4.1.tgz b/releases/cloud-security-kubernetes-cluster-connector-1.4.1.tgz
diff --git a/releases/securitycenter-1.2.0.tgz b/releases/securitycenter-1.2.0.tgz