Fix seccomp profile (#153)

Signed-off-by: v.oleynikov <[email protected]>

Author: duckhawk

charts/helm_lib/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
 type: library
 name: deckhouse_lib_helm
-version: 1.64.2
+version: 1.64.3
 description: "Helm utils template definitions for Deckhouse modules."

charts/helm_lib/README.md

@@ -650,16 +650,18 @@ list:
 
 ### helm_lib_module_container_security_context_pss_restricted_flexible
 
- SecurityContext for Deckhouse UID/GID 64535, PSS Restricted 
+ SecurityContext for Deckhouse UID/GID 64535 (or root), PSS Restricted 
  Optional keys: 
  .ro   – bool, read-only root FS (default true) 
  .caps – []string, capabilities.add (default empty) 
  .uid  – int, runAsUser/runAsGroup (default 64535) 
  .seccompProfile  – bool, disable seccompProfile when false (default true) 
+ .runAsNonRoot   – bool, run as Deckhouse user when true, root when false (default true) 
+ .seccompProfile  – bool, disable seccompProfile when false (default true) 
 
 #### Usage
 
-`include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" false "caps" (list "NET_ADMIN" "SYS_TIME") "uid" 1001 "seccompProfile" false) `
+`include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" false "caps" (list "NET_ADMIN" "SYS_TIME") "uid" 1001 "seccompProfile" false "runAsNonRoot" true) `
 
 
 

charts/helm_lib/templates/_csi_controller.tpl

@@ -241,7 +241,7 @@ spec:
       automountServiceAccountToken: true
       containers:
       - name: provisioner
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }}
         image: {{ $provisionerImage | quote }}
         args:
         - "--timeout={{ $provisionerTimeout }}"
@@ -294,7 +294,7 @@ spec:
             {{- include "provisioner_resources" $context | nindent 12 }}
   {{- end }}
       - name: attacher
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }}
         image: {{ $attacherImage | quote }}
         args:
         - "--timeout={{ $attacherTimeout }}"
@@ -325,7 +325,7 @@ spec:
   {{- end }}
             {{- if $resizerEnabled }}
       - name: resizer
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }}
         image: {{ $resizerImage | quote }}
         args:
         - "--timeout={{ $resizerTimeout }}"
@@ -357,7 +357,7 @@ spec:
             {{- end }}
             {{- if $syncerEnabled }}
       - name: syncer
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }}
         image: {{ $syncerImage | quote }}
         args:
         - "--leader-election"
@@ -384,7 +384,7 @@ spec:
             {{- end }}
     {{- if $snapshotterEnabled }}
       - name: snapshotter
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }}
         image: {{ $snapshotterImage | quote }}
         args:
         - "--timeout={{ $snapshotterTimeout }}"
@@ -418,7 +418,7 @@ spec:
   {{- end }}
             {{- end }}
       - name: livenessprobe
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }}
         image: {{ $livenessprobeImage | quote }}
         args:
         - "--csi-address=$(ADDRESS)"
@@ -454,7 +454,7 @@ spec:
 {{- if $forceCsiControllerPrivilegedContainer }}
         {{- include "helm_lib_module_container_security_context_escalated_sys_admin_privileged" . | nindent 8 }}
 {{- else }}
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" . | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true) | nindent 8 }}
 {{- end }}
         image: {{ $controllerImage | quote }}
         args:

charts/helm_lib/templates/_csi_node.tpl

@@ -138,7 +138,7 @@ spec:
       {{- end }}
       containers:
       - name: node-driver-registrar
-        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem" $context | nindent 8 }}
+        {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "seccompProfile" true "uid" "0" "runAsNonRoot" false) | nindent 8 }}
         image: {{ $driverRegistrarImage | quote }}
         args:
         - "--v=5"
@@ -182,6 +182,8 @@ spec:
         securityContext:
           privileged: true
           readOnlyRootFilesystem: true
+          seccompProfile:
+            type: RuntimeDefault
         {{- if $setSysAdminCapability }}
           capabilities:
             add:

charts/helm_lib/templates/_module_security_context.tpl

@@ -69,13 +69,15 @@ securityContext:
 {{- end }}
 
 
-{{- /* SecurityContext for Deckhouse UID/GID 64535, PSS Restricted */ -}}
+{{- /* SecurityContext for Deckhouse UID/GID 64535 (or root), PSS Restricted */ -}}
 {{- /* Optional keys: */ -}}
 {{- /* .ro   – bool, read-only root FS (default true) */ -}}
 {{- /* .caps – []string, capabilities.add (default empty) */ -}}
 {{- /* .uid  – int, runAsUser/runAsGroup (default 64535) */ -}}
 {{- /* .seccompProfile  – bool, disable seccompProfile when false (default true) */ -}}
-{{- /* Usage: include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" false "caps" (list "NET_ADMIN" "SYS_TIME") "uid" 1001 "seccompProfile" false) */ -}}
+{{- /* .runAsNonRoot   – bool, run as Deckhouse user when true, root when false (default true) */ -}}
+{{- /* .seccompProfile  – bool, disable seccompProfile when false (default true) */ -}}
+{{- /* Usage: include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" false "caps" (list "NET_ADMIN" "SYS_TIME") "uid" 1001 "seccompProfile" false "runAsNonRoot" true) */ -}}
 {{- define "helm_lib_module_container_security_context_pss_restricted_flexible" -}}
 {{- $ro := true -}}
 {{- if hasKey . "ro" -}}
@@ -87,10 +89,14 @@ securityContext:
 {{- end -}}
 {{- $caps := default (list) .caps -}}
 {{- $uid  := default 64535 .uid  -}}
+{{- $runAsNonRoot := true -}}
+{{- if hasKey . "runAsNonRoot" -}}
+  {{- $runAsNonRoot = .runAsNonRoot -}}
+{{- end -}}
 
 securityContext:
   readOnlyRootFilesystem: {{ $ro }}
-  allowPrivilegeEscalation: false
+  allowPrivilegeEscalation: {{ not $runAsNonRoot }}
   capabilities:
     drop:
       - ALL
@@ -99,7 +105,7 @@ securityContext:
 {{- end }}
   runAsUser:   {{ $uid }}
   runAsGroup:  {{ $uid }}
-  runAsNonRoot: true
+  runAsNonRoot: {{ $runAsNonRoot }}
 {{- if $seccompProfile }}
   seccompProfile:
     type: RuntimeDefault