Security context of init containers #671

New Issue

Open

opened 2024-07-02 06:50:40 +00:00 by inzanez · 4 comments

inzanez commented 2024-07-02 06:50:40 +00:00 (Migrated from gitea.com)

Copy Link

Hi

I just tried installling the latest Gitea version with the chart on a hardened RKE2 cluster. I set:

securityContext:
  allowPrivilegeEscalation: false
  runAsUser: 1000
  capabilities:
    drop:
    - ALL

but it seems that this does not apply to the init containers:

W0702 08:42:08.699388    5916 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "init-directories", "init-app-ini", "configure-gitea", "gitea" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "init-directories", "init-app-ini", "configure-gitea", "gitea" must set securityContext.capabilities.drop=["ALL"])

Is there a way to configure these settings for the init containers at all?

Hi I just tried installling the latest Gitea version with the chart on a hardened RKE2 cluster. I set: ``` securityContext: allowPrivilegeEscalation: false runAsUser: 1000 capabilities: drop: - ALL ``` but it seems that this does not apply to the init containers: ``` W0702 08:42:08.699388 5916 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "init-directories", "init-app-ini", "configure-gitea", "gitea" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "init-directories", "init-app-ini", "configure-gitea", "gitea" must set securityContext.capabilities.drop=["ALL"]) ``` Is there a way to configure these settings for the init containers at all?

pat-s commented 2024-07-02 08:52:00 +00:00 (Migrated from gitea.com)

Copy Link

1ac39a6f5d/templates/gitea/deployment.yaml (L92-L93)

https://gitea.com/gitea/helm-chart/src/commit/1ac39a6f5dd0dc09c2fd933f79d75d883bf4278d/templates/gitea/deployment.yaml#L92-L93

loic-seguin commented 2024-07-24 14:45:24 +00:00 (Migrated from gitea.com)

Copy Link

Same problem here, I have tried this in the values.yml

containerSecurityContext:
  runAsUser: 1002260000
  fsGroup: 1002260000

and it seems that only the value runAsUser is taken in account.

Same problem here, I have tried this in the values.yml ``` containerSecurityContext: runAsUser: 1002260000 fsGroup: 1002260000 ``` and it seems that only the value runAsUser is taken in account.

pat-s commented 2024-08-29 09:53:55 +00:00 (Migrated from gitea.com)

Copy Link

The values should be inserted as-is based on the template logic.
Can you show that these are not injected into the pod spec at runtime?

Note that "having an/the desired effect" is different again compared to the values not being injected in the first place.

@inzanez It seems you've used the deprecated securityContext which is not taken care of in all init containers. Using containerSecurityContext should do it.

The values should be inserted as-is based on the template logic. Can you show that these are not injected into the pod spec at runtime? Note that "having an/the desired effect" is different again compared to the values not being injected in the first place. @inzanez It seems you've used the deprecated `securityContext` which is not taken care of in all init containers. Using `containerSecurityContext` should do it.

justusbunsi commented 2024-11-10 14:13:44 +00:00 (Migrated from gitea.com)

Copy Link

Same problem here, I have tried this in the values.yml

containerSecurityContext:
  runAsUser: 1002260000
  fsGroup: 1002260000

and it seems that only the value runAsUser is taken in account.

To my knowledge, Kubernetes only takes fsGroup into account on pod-level securityContext.

> Same problem here, I have tried this in the values.yml > > ``` > containerSecurityContext: > runAsUser: 1002260000 > fsGroup: 1002260000 > ``` > > and it seems that only the value runAsUser is taken in account. To my knowledge, Kubernetes only takes `fsGroup` into account on pod-level `securityContext`.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

No results found.

v10.6.0

v10.5.0

v10.4.1

v10.4.0

v10.3.0

v10.2.0

v10.1.4

v10.1.3

v10.1.2

v10.1.1

v10.1.0

v10.0.2

v10.0.1

v10.0.0

v9.6.1

v9.6.0

v9.5.1

v9.5.0

v9.4.0

v9.3.0

v9.2.1

v9.2.0

v9.1.0

v9.0.4

v9.0.3

v9.0.2

v9.0.1

v9.0.0

v8.3.0

v8.2.0

v8.1.0

v8.0.3

v8.0.2

v8.0.1

v8.0.0

v7.0.4

v7.0.3

v7.0.2

v7.0.1

v7.0.0

v6.0.5

v6.0.4

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.9

v5.0.8

v5.0.7

v5.0.6

v5.0.5

v5.0.4

v5.0.3

v5.0.2

v5.0.1

v5.0.0

v4.1.1

v4.1.0

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.0

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.11

v2.1.10

v2.1.9

v2.1.8

v2.1.7

v2.1.6

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.0

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.9

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

Labels

Clear labels

has/backport

in progress

invalid

kind/breaking

kind/bug

kind/build

kind/dependency

kind/deployment

kind/docs

kind/enhancement

kind/feature

kind/lint

kind/proposal

kind/question

kind/refactor

kind/security

kind/testing

kind/translation

kind/ui

need/backport

priority/critical

priority/low

priority/maybe

priority/medium

reviewed/duplicate

reviewed/invalid

reviewed/wontfix

skip-changelog

status/blocked

status/needs-feedback

status/needs-reviews

status/wip

upstream/gitea

upstream/other

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lunny/helm-chart#671

No description provided.