Skip to content

Commit

Permalink
feat(chart): Improved default security context
Browse files Browse the repository at this point in the history
Signed-off-by: Steve Hipwell <[email protected]>
  • Loading branch information
stevehipwell committed Jan 2, 2025
1 parent 140ab17 commit 144aa53
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 14 deletions.
12 changes: 7 additions & 5 deletions charts/karpenter/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,15 +45,18 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.1.1 \
| additionalLabels | object | `{}` | Additional labels to add into metadata. |
| affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"karpenter.sh/nodepool","operator":"DoesNotExist"}]}]}},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity rules for scheduling the pod. If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels. |
| controller.containerName | string | `"controller"` | Distinguishing container name (containerName: karpenter-controller). |
| controller.env | list | `[]` | Additional environment variables for the controller pod. |
| controller.env | list | `[]` | Additional environment variables for the controller container. |
| controller.envFrom | list | `[]` | |
| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts for the controller pod. |
| controller.extraVolumeMounts | list | `[]` | Additional volumeMounts for the controller container. |
| controller.healthProbe.port | int | `8081` | The container port to use for http health probe. |
| controller.image.digest | string | `"sha256:fe383abf1dbc79f164d1cbcfd8edaaf7ce97a43fbd6cb70176011ff99ce57523"` | SHA256 digest of the controller image. |
| controller.image.repository | string | `"public.ecr.aws/karpenter/controller"` | Repository path to the controller image. |
| controller.image.tag | string | `"1.1.1"` | Tag of the controller image. |
| controller.metrics.port | int | `8080` | The container port to use for metrics. |
| controller.resources | object | `{}` | Resources for the controller pod. |
| controller.resources | object | `{}` | Resources for the controller container. |
| controller.securityContext.appArmorProfile | object | `nil` | The AppArmor options to use by the controller container. |
| controller.securityContext.seLinuxOptions | object | `nil` | The SELinux context to be applied to the controller container. |
| controller.securityContext.seccompProfile | object | `{"type":"RuntimeDefault"}` | The seccomp options to use by the controller container. |
| controller.sidecarContainer | list | `[]` | Additional sidecarContainer config |
| controller.sidecarVolumeMounts | list | `[]` | Additional volumeMounts for the sidecar - this will be added to the volume mounts on top of extraVolumeMounts |
| dnsConfig | object | `{}` | Configure DNS Config for the pod |
Expand All @@ -72,7 +75,7 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.1.1 \
| podDisruptionBudget.maxUnavailable | int | `1` | |
| podDisruptionBudget.name | string | `"karpenter"` | |
| podLabels | object | `{}` | Additional labels for the pod. |
| podSecurityContext | object | `{"fsGroup":65532}` | SecurityContext for the pod. |
| podSecurityContext | object | `{"fsGroup":65532,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | SecurityContext for the pod. |
| priorityClassName | string | `"system-cluster-critical"` | PriorityClass name for the pod. |
| replicas | int | `2` | Number of replicas. |
| revisionHistoryLimit | int | `10` | The number of old ReplicaSets to retain to allow rollback. |
Expand All @@ -90,7 +93,6 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.1.1 \
| settings.clusterCABundle | string | `""` | Cluster CA bundle for TLS configuration of provisioned nodes. If not set, this is taken from the controller's TLS configuration for the API server. |
| settings.clusterEndpoint | string | `""` | Cluster endpoint. If not set, will be discovered during startup (EKS only) |
| settings.clusterName | string | `""` | Cluster name. |
| settings.eksControlPlane | bool | `false` | Marking this true means that your cluster is running with an EKS control plane and Karpenter should attempt to discover cluster details from the DescribeCluster API |
| settings.featureGates | object | `{"nodeRepair":false,"spotToSpotConsolidation":false}` | Feature Gate configuration values. Feature Gates will follow the same graduation process and requirements as feature gates in Kubernetes. More information here https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features |
| settings.featureGates.nodeRepair | bool | `false` | nodeRepair is ALPHA and is disabled by default. Setting this to true will enable node repair. |
| settings.featureGates.spotToSpotConsolidation | bool | `false` | spotToSpotConsolidation is ALPHA and is disabled by default. Setting this to true will enable spot replacement consolidation for both single and multi-node consolidation. |
Expand Down
23 changes: 18 additions & 5 deletions charts/karpenter/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -62,16 +62,29 @@ spec:
containers:
- name: {{ .Values.controller.containerName | default "controller" }}
securityContext:
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
{{- with .Values.controller.securityContext }}
{{- with .appArmorProfile }}
appArmorProfile:
{{- toYaml . | nindent 14}}
{{- end }}
{{- with .seLinuxOptions }}
seLinuxOptions:
{{- toYaml . | nindent 14}}
{{- end }}
{{- with .seccompProfile }}
seccompProfile:
{{- toYaml . | nindent 14}}
{{- end }}
{{- end }}
image: {{ include "karpenter.controller.image" . }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
env:
Expand Down
18 changes: 14 additions & 4 deletions charts/karpenter/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,10 @@ podDisruptionBudget:
maxUnavailable: 1
# -- SecurityContext for the pod.
podSecurityContext:
runAsNonRoot: true
fsGroup: 65532
seccompProfile:
type: RuntimeDefault
# -- PriorityClass name for the pod.
priorityClassName: system-cluster-critical
# -- Override the default termination grace period for the pod.
Expand Down Expand Up @@ -111,12 +114,20 @@ controller:
tag: 1.1.1
# -- SHA256 digest of the controller image.
digest: sha256:51bca600197c7c6e6e0838549664b2c12c3f8dd4b23744ab28202ae97ca5aed1
# -- Additional environment variables for the controller pod.
securityContext:
# -- (object) The AppArmor options to use by the controller container.
appArmorProfile:
# -- (object) The SELinux context to be applied to the controller container.
seLinuxOptions:
# -- The seccomp options to use by the controller container.
seccompProfile:
type: RuntimeDefault
# -- Additional environment variables for the controller container.
env: []
# - name: AWS_REGION
# value: eu-west-1
envFrom: []
# -- Resources for the controller pod.
# -- Resources for the controller container.
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
Expand All @@ -128,8 +139,7 @@ controller:
# limits:
# cpu: 1
# memory: 1Gi

# -- Additional volumeMounts for the controller pod.
# -- Additional volumeMounts for the controller container.
extraVolumeMounts: []
# - name: aws-iam-token
# mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
Expand Down

0 comments on commit 144aa53

Please sign in to comment.