From ac2ab7b74ed0a8077bb9b3ffd5ae1130b044c416 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Thu, 22 Oct 2020 00:41:25 -0700 Subject: [PATCH] update pod security context and switch to higher port --- definitions/install.yaml | 33 ++++++++++++++++++++++++++------- pkg/webhooks/server.go | 10 +++++----- 2 files changed, 31 insertions(+), 12 deletions(-) diff --git a/definitions/install.yaml b/definitions/install.yaml index 454da71fb2..5fee530904 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -1043,7 +1043,7 @@ metadata: spec: ports: - port: 443 - targetPort: 443 + targetPort: 9443 selector: app: kyverno --- @@ -1064,10 +1064,13 @@ spec: labels: app: kyverno spec: + hostNetwork: false + hostPID: false + hostIPC: false containers: - args: - --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*] - - -v=2 + - -v=3 env: - name: INIT_CONFIG value: init-config @@ -1077,13 +1080,13 @@ spec: fieldPath: metadata.namespace - name: KYVERNO_SVC value: kyverno-svc - image: nirmata/kyverno:v1.2.0 - imagePullPolicy: Always + image: nirmata/kyverno:v1.2.0-22-g704e1aad + imagePullPolicy: Never livenessProbe: failureThreshold: 4 httpGet: path: /health/liveness - port: 443 + port: 9443 scheme: HTTPS initialDelaySeconds: 5 periodSeconds: 10 @@ -1091,12 +1094,12 @@ spec: timeoutSeconds: 5 name: kyverno ports: - - containerPort: 443 + - containerPort: 9443 readinessProbe: failureThreshold: 4 httpGet: path: /health/readiness - port: 443 + port: 9443 scheme: HTTPS initialDelaySeconds: 5 periodSeconds: 10 @@ -1108,8 +1111,24 @@ spec: requests: cpu: 100m memory: 50Mi + securityContext: + runAsUser: 1000 + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - all initContainers: - image: nirmata/kyvernopre:v1.2.0 imagePullPolicy: Always name: kyverno-pre + securityContext: + runAsUser: 1000 + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - all serviceAccountName: kyverno-service-account diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index e118c1beb8..8b17d3736e 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -44,7 +44,7 @@ import ( // WebhookServer contains configured TLS server with MutationWebhook. type WebhookServer struct { - server http.Server + server *http.Server client *client.Client kyvernoClient *kyvernoclient.Clientset @@ -209,8 +209,8 @@ func NewWebhookServer( w.WriteHeader(http.StatusOK) }) - ws.server = http.Server{ - Addr: ":443", // Listen on port for HTTPS requests + ws.server = &http.Server{ + Addr: ":9443", // Listen on port for HTTPS requests TLSConfig: &tlsConfig, Handler: mux, ReadTimeout: 15 * time.Second, @@ -507,12 +507,12 @@ func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) { logger.Info("failed to sync informer cache") } - go func(ws *WebhookServer) { + go func () { logger.V(3).Info("started serving requests", "addr", ws.server.Addr) if err := ws.server.ListenAndServeTLS("", ""); err != http.ErrServerClosed { logger.Error(err, "failed to listen to requests") } - }(ws) + }() logger.Info("starting") // verifies if the admission control is enabled and active