From b5a77503e835cf1fb6e763e4fb6b253a99ea3867 Mon Sep 17 00:00:00 2001 From: jonasbg <1508560+jonasbg@users.noreply.github.com> Date: Wed, 6 Sep 2023 05:15:49 +0000 Subject: [PATCH 1/7] security(helm): added podSecurityContext --- helm/multi-juicer/templates/cleanup/cron-job.yaml | 4 ++++ helm/multi-juicer/templates/juice-balancer/config-map.yaml | 1 + helm/multi-juicer/templates/juice-balancer/deployment.yaml | 4 ++++ helm/multi-juicer/templates/progress-watchdog/deployment.yaml | 4 ++++ helm/multi-juicer/values.yaml | 3 +++ juice-balancer/src/kubernetes.js | 1 + 6 files changed, 17 insertions(+) diff --git a/helm/multi-juicer/templates/cleanup/cron-job.yaml b/helm/multi-juicer/templates/cleanup/cron-job.yaml index 6d135f384..ec0388610 100644 --- a/helm/multi-juicer/templates/cleanup/cron-job.yaml +++ b/helm/multi-juicer/templates/cleanup/cron-job.yaml @@ -29,6 +29,10 @@ spec: - image: '{{ .Values.juiceShopCleanup.repository }}:{{ .Values.juiceShopCleanup.tag | default (printf "v%s" .Chart.Version) }}' imagePullPolicy: {{ .Values.imagePullPolicy | quote }} name: 'cleanup-job' + {{- with .Values.juiceShopCleanup.podsecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} env: - name: NAMESPACE value: {{ .Release.Namespace | quote }} diff --git a/helm/multi-juicer/templates/juice-balancer/config-map.yaml b/helm/multi-juicer/templates/juice-balancer/config-map.yaml index c880f4034..04eb4909a 100644 --- a/helm/multi-juicer/templates/juice-balancer/config-map.yaml +++ b/helm/multi-juicer/templates/juice-balancer/config-map.yaml @@ -32,6 +32,7 @@ data: "nodeEnv": {{ .Values.juiceShop.nodeEnv | quote }}, "resources": {{ .Values.juiceShop.resources | toJson }}, "securityContext": {{ .Values.juiceShop.securityContext | toJson }}, + "podsecurityContext": {{ .Values.juiceShop.podsecurityContext | toJson }}, "env": {{ .Values.juiceShop.env | toJson }}, "envFrom": {{ .Values.juiceShop.envFrom | toJson }}, "volumes": {{ .Values.juiceShop.volumes | toJson }}, diff --git a/helm/multi-juicer/templates/juice-balancer/deployment.yaml b/helm/multi-juicer/templates/juice-balancer/deployment.yaml index 4185efd87..5de7057a8 100644 --- a/helm/multi-juicer/templates/juice-balancer/deployment.yaml +++ b/helm/multi-juicer/templates/juice-balancer/deployment.yaml @@ -32,6 +32,10 @@ spec: - name: {{ .Chart.Name }} image: '{{ .Values.balancer.repository }}:{{ .Values.balancer.tag | default (printf "v%s" .Chart.Version) }}' imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + {{- with .Values.balancer.podsecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} ports: - name: http containerPort: 3000 diff --git a/helm/multi-juicer/templates/progress-watchdog/deployment.yaml b/helm/multi-juicer/templates/progress-watchdog/deployment.yaml index 771d8d871..26fa79c59 100644 --- a/helm/multi-juicer/templates/progress-watchdog/deployment.yaml +++ b/helm/multi-juicer/templates/progress-watchdog/deployment.yaml @@ -22,6 +22,10 @@ spec: - name: progress-watchdog image: '{{ .Values.progressWatchdog.repository }}:{{ .Values.progressWatchdog.tag | default (printf "v%s" .Chart.Version) }}' imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + {{- with .Values.progressWatchdog.podsecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} ports: - name: http containerPort: 8080 diff --git a/helm/multi-juicer/values.yaml b/helm/multi-juicer/values.yaml index 8a5750cb4..0c3952ad4 100644 --- a/helm/multi-juicer/values.yaml +++ b/helm/multi-juicer/values.yaml @@ -57,6 +57,7 @@ balancer: memory: 256Mi cpu: 400m securityContext: {} + podSecurityContext: {} # -- Optional Configure kubernetes scheduling affinity for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) affinity: {} # -- Optional Configure kubernetes toleration for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) @@ -119,6 +120,7 @@ juiceShop: # memory: 200Mi # -- Optional securityContext definitions to set for each JuiceShop instance securityContext: {} + podSecurityContext: {} # -- Optional environment variables to set for each JuiceShop instance (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] # env: @@ -191,6 +193,7 @@ juiceShopCleanup: limits: memory: 256Mi securityContext: {} + podsecurityContext: {} # -- Optional Configure kubernetes scheduling affinity for the JuiceShopCleanup Job(see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) affinity: {} # -- Optional Configure kubernetes toleration for the JuiceShopCleanup Job (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) diff --git a/juice-balancer/src/kubernetes.js b/juice-balancer/src/kubernetes.js index 831ac8bf8..e105f0046 100644 --- a/juice-balancer/src/kubernetes.js +++ b/juice-balancer/src/kubernetes.js @@ -70,6 +70,7 @@ const createDeploymentForTeam = async ({ team, passcodeHash }) => { image: `${get('juiceShop.image')}:${get('juiceShop.tag')}`, imagePullPolicy: get('juiceShop.imagePullPolicy'), resources: get('juiceShop.resources'), + securityContext: get('juiceShop.podsecurityContext'), env: [ { name: 'NODE_ENV', From 544894704a7ae167fe80b4abe4df14ae607a112f Mon Sep 17 00:00:00 2001 From: jonasbg <1508560+jonasbg@users.noreply.github.com> Date: Wed, 6 Sep 2023 05:21:05 +0000 Subject: [PATCH 2/7] docs(securityContext): draft podSecurityContext --- guides/production-notes/production-notes.md | 28 +++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/guides/production-notes/production-notes.md b/guides/production-notes/production-notes.md index c0854a36a..abccc6452 100644 --- a/guides/production-notes/production-notes.md +++ b/guides/production-notes/production-notes.md @@ -9,12 +9,28 @@ To ensure MultiJuicer runs as smoothly during your CTF's / trainings / workshops 5. When running a CTF with JuiceShop challenge flags, make sure to change `juiceShop.ctfKey` from the default. Otherwise users will be able to generate their own flags relatively easily. Additionally, include the `juiceShop.nodeEnv` value and specify it as "ctf". This way, it will generate flags for the CTF event. The default behavior is to not generate them. 6. When using prometheus metrics, e.g. when you have followed the [Monitoring SetUp Guide](https://github.com/juice-shop/multi-juicer/blob/main/guides/monitoring-setup/monitoring.md) you'll want to change `balancer.metrics.basicAuth.password` to a non default values. Otherwise users can use the default value to access the technical metrics of the JuiceBalancer pods. +## Security Consideration + +Add SecurityContext, PodSecurityContext and NetworkPolicy to further isolate and secure your training plattform. + ## TLDR Here's a example helm values file: ```yaml balancer: + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + runAsNonRoot: true + podsecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + networkPolicy: true replicas: 3 cookie: cookieParserSecret: "THIS_IS_A_EXAMPLE_DONT_USE_THIS_AS_THE_ACTUAL_SECRET" @@ -27,4 +43,16 @@ juiceShop: maxInstances: 42 nodeEnv: "ctf" ctfKey: "DONT_LET_ME_FIND_YOU_USING_THIS_EXACT_VALUE" + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + runAsNonRoot: true + podsecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + networkPolicy: true ``` From 441d10348c3ad55ebc8b41c34f97285f3c952139 Mon Sep 17 00:00:00 2001 From: jonasbg <1508560+jonasbg@users.noreply.github.com> Date: Wed, 6 Sep 2023 05:24:20 +0000 Subject: [PATCH 3/7] helm(networkpolicy): added networkpolicy to juice-shop --- guides/production-notes/production-notes.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/guides/production-notes/production-notes.md b/guides/production-notes/production-notes.md index abccc6452..eb334b959 100644 --- a/guides/production-notes/production-notes.md +++ b/guides/production-notes/production-notes.md @@ -55,4 +55,15 @@ juiceShop: drop: - ALL networkPolicy: true + +progressWatchdog: + securityContext: + runAsNonRoot: true + podsecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + networkPolicy: true ``` From fd4be31a72b0ba748e783b8edda44a8a8d81dc16 Mon Sep 17 00:00:00 2001 From: jonasbg <1508560+jonasbg@users.noreply.github.com> Date: Wed, 6 Sep 2023 05:30:40 +0000 Subject: [PATCH 4/7] helm(networkpolicy): added networkpolicy to juice-shop --- .../templates/juice-shop/networkPolicy.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 helm/multi-juicer/templates/juice-shop/networkPolicy.yaml diff --git a/helm/multi-juicer/templates/juice-shop/networkPolicy.yaml b/helm/multi-juicer/templates/juice-shop/networkPolicy.yaml new file mode 100644 index 000000000..0d08ffb79 --- /dev/null +++ b/helm/multi-juicer/templates/juice-shop/networkPolicy.yaml @@ -0,0 +1,27 @@ +{{- if .Values.juiceshop.networkPolicy }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: networkPolicy-juice-shop +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: 'juice-shop' + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: + matchLabels: + {{- include "multi-juicer.juice-balancer.labels" . | nindent 14 }} + ports: + - port: http + egress: + - to: + - podSelector: + matchLabels: + {{- include "multi-juicer.juice-balancer.labels" . | nindent 14 }} + ports: + - port: http +{{- end }} \ No newline at end of file From c5520068b0d15dc35b62053c477ae3df417d953f Mon Sep 17 00:00:00 2001 From: jonasbg <1508560+jonasbg@users.noreply.github.com> Date: Wed, 6 Sep 2023 05:32:41 +0000 Subject: [PATCH 5/7] helm(securityContext): small fix in docs --- guides/production-notes/production-notes.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/guides/production-notes/production-notes.md b/guides/production-notes/production-notes.md index eb334b959..97dd67dec 100644 --- a/guides/production-notes/production-notes.md +++ b/guides/production-notes/production-notes.md @@ -20,9 +20,6 @@ Here's a example helm values file: ```yaml balancer: securityContext: - runAsUser: 1000 - runAsGroup: 3000 - fsGroup: 2000 runAsNonRoot: true podsecurityContext: allowPrivilegeEscalation: false @@ -44,9 +41,6 @@ juiceShop: nodeEnv: "ctf" ctfKey: "DONT_LET_ME_FIND_YOU_USING_THIS_EXACT_VALUE" securityContext: - runAsUser: 1000 - runAsGroup: 3000 - fsGroup: 2000 runAsNonRoot: true podsecurityContext: allowPrivilegeEscalation: false @@ -65,5 +59,4 @@ progressWatchdog: capabilities: drop: - ALL - networkPolicy: true ``` From 23685fe54592a89e90ec6143f5d59f11f353ce9f Mon Sep 17 00:00:00 2001 From: Jonas Bo Grimsgaard <1508560+jonasbg@users.noreply.github.com> Date: Mon, 18 Sep 2023 09:33:11 +0200 Subject: [PATCH 6/7] feat(networkPolicy): networkpolicy for juice-shop --- .../templates/juice-shop/networkPolicy.yaml | 47 ++++++++++++------- 1 file changed, 30 insertions(+), 17 deletions(-) diff --git a/helm/multi-juicer/templates/juice-shop/networkPolicy.yaml b/helm/multi-juicer/templates/juice-shop/networkPolicy.yaml index 0d08ffb79..d4593fc9c 100644 --- a/helm/multi-juicer/templates/juice-shop/networkPolicy.yaml +++ b/helm/multi-juicer/templates/juice-shop/networkPolicy.yaml @@ -1,27 +1,40 @@ -{{- if .Values.juiceshop.networkPolicy }} +{{- if .Values.juiceShop.networkPolicy }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: networkPolicy-juice-shop + name: networkpolicy-juice-shop spec: podSelector: matchLabels: app.kubernetes.io/name: 'juice-shop' policyTypes: - - Ingress - - Egress + - Ingress + - Egress ingress: - - from: - - podSelector: - matchLabels: - {{- include "multi-juicer.juice-balancer.labels" . | nindent 14 }} - ports: - - port: http + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: 'juice-balancer' + ports: + - port: http egress: - - to: - - podSelector: - matchLabels: - {{- include "multi-juicer.juice-balancer.labels" . | nindent 14 }} - ports: - - port: http -{{- end }} \ No newline at end of file + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: 'juice-balancer' + - podSelector: + matchLabels: + app.kubernetes.io/name: 'progress-watchdog' + ports: + - port: http + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns +{{- end }} From 0ab53ffa19fb65c021d8cf8cc1997d6c9468482d Mon Sep 17 00:00:00 2001 From: Jonas Bo Grimsgaard <1508560+jonasbg@users.noreply.github.com> Date: Mon, 18 Sep 2023 09:53:42 +0200 Subject: [PATCH 7/7] removed(networkPolicy): removed network policy --- guides/production-notes/production-notes.md | 5 +-- .../templates/juice-shop/networkPolicy.yaml | 40 ------------------- 2 files changed, 1 insertion(+), 44 deletions(-) delete mode 100644 helm/multi-juicer/templates/juice-shop/networkPolicy.yaml diff --git a/guides/production-notes/production-notes.md b/guides/production-notes/production-notes.md index 97dd67dec..7ee2382ab 100644 --- a/guides/production-notes/production-notes.md +++ b/guides/production-notes/production-notes.md @@ -11,7 +11,7 @@ To ensure MultiJuicer runs as smoothly during your CTF's / trainings / workshops ## Security Consideration -Add SecurityContext, PodSecurityContext and NetworkPolicy to further isolate and secure your training plattform. +Add SecurityContext and PodSecurityContext further isolate and secure your training plattform. ## TLDR @@ -27,7 +27,6 @@ balancer: capabilities: drop: - ALL - networkPolicy: true replicas: 3 cookie: cookieParserSecret: "THIS_IS_A_EXAMPLE_DONT_USE_THIS_AS_THE_ACTUAL_SECRET" @@ -44,11 +43,9 @@ juiceShop: runAsNonRoot: true podsecurityContext: allowPrivilegeEscalation: false - readOnlyRootFilesystem: true capabilities: drop: - ALL - networkPolicy: true progressWatchdog: securityContext: diff --git a/helm/multi-juicer/templates/juice-shop/networkPolicy.yaml b/helm/multi-juicer/templates/juice-shop/networkPolicy.yaml deleted file mode 100644 index d4593fc9c..000000000 --- a/helm/multi-juicer/templates/juice-shop/networkPolicy.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if .Values.juiceShop.networkPolicy }} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: networkpolicy-juice-shop -spec: - podSelector: - matchLabels: - app.kubernetes.io/name: 'juice-shop' - policyTypes: - - Ingress - - Egress - ingress: - - from: - - podSelector: - matchLabels: - app.kubernetes.io/name: 'juice-balancer' - ports: - - port: http - egress: - - to: - - podSelector: - matchLabels: - app.kubernetes.io/name: 'juice-balancer' - - podSelector: - matchLabels: - app.kubernetes.io/name: 'progress-watchdog' - ports: - - port: http - - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - to: - - namespaceSelector: {} - podSelector: - matchLabels: - k8s-app: kube-dns -{{- end }}