Patch values for policy rules violation (#205)

* patch values for hubble relay

Signed-off-by: Matias Charriere <[email protected]>

* patch values for hubble ui

Signed-off-by: Matias Charriere <[email protected]>

* patch values for cilium-operator

Signed-off-by: Matias Charriere <[email protected]>

* run sync/sync.sh

Signed-off-by: Matias Charriere <[email protected]>

* improve sec hubble relay

Signed-off-by: Matias Charriere <[email protected]>

* Update changelog

Signed-off-by: Matias Charriere <[email protected]>

---------

Signed-off-by: Matias Charriere <[email protected]>

CHANGELOG.md

@@ -11,6 +11,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Upgrade Cilium to [v1.16.0](https://github.com/cilium/cilium/releases/tag/v1.16.0).
 - Disable digest in all images.
+- Improve security defaults for:
+  - Hubble UI
+  - Hubble Relay
+  - Cilium Operator
 
 ## [0.25.1] - 2024-06-26
 

diffs/helm__cilium__values.yaml.tmpl.patch

@@ -1,5 +1,5 @@
 diff --git a/vendor/cilium/install/kubernetes/cilium/values.yaml.tmpl b/helm/cilium/values.yaml.tmpl
-index e46a039..f76a8af 100644
+index e46a039..8a51df5 100644
 --- a/vendor/cilium/install/kubernetes/cilium/values.yaml.tmpl
 +++ b/helm/cilium/values.yaml.tmpl
 @@ -136,6 +136,16 @@ serviceAccounts:
@@ -63,7 +63,14 @@ index e46a039..f76a8af 100644
      # -- Roll out Hubble Relay pods automatically when configmap is updated.
      rollOutPods: false
      # -- Hubble-relay container image.
-@@ -1341,7 +1352,8 @@ hubble:
+@@ -1337,11 +1348,14 @@ hubble:
+     # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+     tolerations: []
+     # -- Additional hubble-relay environment variables.
+-    extraEnv: []
++    extraEnv:
++      - name: GOPS_CONFIG_DIR
++        value: /tmp
      # -- Annotations to be added to all top-level hubble-relay objects (resources under templates/hubble-relay)
      annotations: {}
      # -- Annotations to be added to hubble-relay pods
@@ -73,7 +80,42 @@ index e46a039..f76a8af 100644
      # -- Labels to be added to hubble-relay pods
      podLabels: {}
      # PodDisruptionBudget settings
-@@ -1459,7 +1471,7 @@ hubble:
+@@ -1373,21 +1387,28 @@ hubble:
+         # @schema
+         maxUnavailable: 1
+     # -- Additional hubble-relay volumes.
+-    extraVolumes: []
++    extraVolumes:
++      - emptyDir: {}
++        name: tmp-dir
+     # -- Additional hubble-relay volumeMounts.
+-    extraVolumeMounts: []
++    extraVolumeMounts:
++      - name: tmp-dir
++        mountPath: /tmp
+     # -- hubble-relay pod security context
+     podSecurityContext:
+       fsGroup: 65532
+     # -- hubble-relay container security context
+     securityContext:
+-      # readOnlyRootFilesystem: true
+-      runAsNonRoot: true
+-      runAsUser: 65532
+-      runAsGroup: 65532
++      allowPrivilegeEscalation: false
+       capabilities:
+         drop:
+           - ALL
++      readOnlyRootFilesystem: true
++      runAsNonRoot: true
++      runAsUser: 65532
++      runAsGroup: 65532
++      seccompProfile:
++        type: RuntimeDefault
+     # -- hubble-relay service configuration.
+     service:
+       # --- The type of service used for Hubble Relay access, either ClusterIP or NodePort.
+@@ -1459,7 +1480,7 @@ hubble:
      # -- Enable prometheus metrics for hubble-relay on the configured port at
      # /metrics
      prometheus:
@@ -82,7 +124,7 @@ index e46a039..f76a8af 100644
        port: 9966
        serviceMonitor:
          # -- Enable service monitors.
-@@ -1498,7 +1510,7 @@ hubble:
+@@ -1498,7 +1519,7 @@ hubble:
        port: 6062
    ui:
      # -- Whether to enable the Hubble UI.
@@ -91,25 +133,53 @@ index e46a039..f76a8af 100644
      standalone:
        # -- When true, it will allow installing the Hubble UI only, without checking dependencies.
        # It is useful if a cluster already has cilium and Hubble relay installed and you just
-@@ -1541,7 +1553,7 @@ hubble:
+@@ -1541,10 +1562,20 @@ hubble:
          repository: "${HUBBLE_UI_BACKEND_REPO}"
          tag: "${HUBBLE_UI_BACKEND_VERSION}"
          digest: "${HUBBLE_UI_BACKEND_DIGEST}"
 -        useDigest: true
 +        useDigest: false
          pullPolicy: "${PULL_POLICY}"
        # -- Hubble-ui backend security context.
-       securityContext: {}
-@@ -1575,7 +1587,7 @@ hubble:
+-      securityContext: {}
++      securityContext:
++        allowPrivilegeEscalation: false
++        capabilities:
++          drop:
++            - ALL
++        readOnlyRootFilesystem: true
++        runAsGroup: 65532
++        runAsNonRoot: true
++        runAsUser: 65532
++        seccompProfile:
++          type: RuntimeDefault
+       # -- Additional hubble-ui backend environment variables.
+       extraEnv: []
+       # -- Additional hubble-ui backend volumes.
+@@ -1575,10 +1606,20 @@ hubble:
          repository: "${HUBBLE_UI_FRONTEND_REPO}"
          tag: "${HUBBLE_UI_FRONTEND_VERSION}"
          digest: "${HUBBLE_UI_FRONTEND_DIGEST}"
 -        useDigest: true
 +        useDigest: false
          pullPolicy: "${PULL_POLICY}"
        # -- Hubble-ui frontend security context.
-       securityContext: {}
-@@ -1602,7 +1614,8 @@ hubble:
+-      securityContext: {}
++      securityContext:
++        allowPrivilegeEscalation: false
++        capabilities:
++          drop:
++            - ALL
++        readOnlyRootFilesystem: true
++        runAsGroup: 101
++        runAsNonRoot: true
++        runAsUser: 101
++        seccompProfile:
++          type: RuntimeDefault
+       # -- Additional hubble-ui frontend environment variables.
+       extraEnv: []
+       # -- Additional hubble-ui frontend volumes.
+@@ -1602,7 +1643,8 @@ hubble:
      # -- Annotations to be added to all top-level hubble-ui objects (resources under templates/hubble-ui)
      annotations: {}
      # -- Annotations to be added to hubble-ui pods
@@ -119,7 +189,22 @@ index e46a039..f76a8af 100644
      # -- Labels to be added to hubble-ui pods
      podLabels: {}
      # PodDisruptionBudget settings
-@@ -1868,9 +1881,9 @@ l2NeighDiscovery:
+@@ -1648,9 +1690,13 @@ hubble:
+         maxUnavailable: 1
+     # -- Security context to be added to Hubble UI pods
+     securityContext:
++      enabled: true
++      fsGroup: 1001
+       runAsUser: 1001
+       runAsGroup: 1001
+-      fsGroup: 1001
++      runAsNonRoot: true
++      seccompProfile:
++        type: RuntimeDefault
+     # -- hubble-ui service configuration.
+     service:
+       # -- Annotations to be added for the Hubble UI service
+@@ -1868,9 +1914,9 @@ l2NeighDiscovery:
  # -- Enable Layer 7 network policy.
  l7Proxy: true
  # -- Enable Local Redirect Policy.
@@ -131,7 +216,7 @@ index e46a039..f76a8af 100644
 
  # logOptions allows you to define logging options. eg:
  # logOptions:
-@@ -2041,7 +2054,7 @@ pprof:
+@@ -2041,7 +2087,7 @@ pprof:
    port: 6060
  # -- Configure prometheus metrics on the configured port at /metrics
  prometheus:
@@ -140,7 +225,7 @@ index e46a039..f76a8af 100644
    port: 9962
    serviceMonitor:
      # -- Enable service monitors.
-@@ -2078,7 +2091,8 @@ prometheus:
+@@ -2078,7 +2124,8 @@ prometheus:
    # The list is expected to be separated by a space. (+metric_foo to enable
    # metric_foo , -metric_bar to disable metric_bar).
    # ref: https://docs.cilium.io/en/stable/observability/metrics/
@@ -150,7 +235,7 @@ index e46a039..f76a8af 100644
    # --- Enable controller group metrics for monitoring specific Cilium
    # subsystems. The list is a list of controller group names. The special
    # values of "all" and "none" are supported. The set of controller
-@@ -2105,9 +2119,7 @@ envoy:
+@@ -2105,9 +2152,7 @@ envoy:
    # type: [null, boolean]
    # @schema
    # -- Enable Envoy Proxy in standalone DaemonSet.
@@ -161,7 +246,7 @@ index e46a039..f76a8af 100644
    # -- (int)
    # Set Envoy'--base-id' to use when allocating shared memory regions.
    # Only needs to be changed if multiple Envoy instances will run on the same node and may have conflicts. Supported values: 0 - 4294967295. Defaults to '0'
-@@ -2140,7 +2152,7 @@ envoy:
+@@ -2140,7 +2185,7 @@ envoy:
      tag: "${CILIUM_ENVOY_VERSION}"
      pullPolicy: "${PULL_POLICY}"
      digest: "${CILIUM_ENVOY_DIGEST}"
@@ -170,7 +255,44 @@ index e46a039..f76a8af 100644
    # -- Additional containers added to the cilium Envoy DaemonSet.
    extraContainers: []
    # -- Additional envoy container arguments.
-@@ -2543,7 +2555,7 @@ operator:
+@@ -2515,7 +2560,9 @@ operator:
+   # -- Additional cilium-operator container arguments.
+   extraArgs: []
+   # -- Additional cilium-operator environment variables.
+-  extraEnv: []
++  extraEnv:
++    - name: GOPS_CONFIG_DIR
++      value: /tmp
+   # -- Additional cilium-operator hostPath mounts.
+   extraHostPathMounts: []
+   # - name: host-mnt-data
+@@ -2526,15 +2573,22 @@ operator:
+   #   mountPropagation: HostToContainer
+
+   # -- Additional cilium-operator volumes.
+-  extraVolumes: []
++  extraVolumes:
++    - emptyDir: {}
++      name: tmp-dir
+   # -- Additional cilium-operator volumeMounts.
+-  extraVolumeMounts: []
++  extraVolumeMounts:
++    - name: tmp-dir
++      mountPath: /tmp
+   # -- Annotations to be added to all top-level cilium-operator objects (resources under templates/cilium-operator)
+   annotations: {}
+   # -- HostNetwork setting
+   hostNetwork: true
+   # -- Security context to be added to cilium-operator pods
+-  podSecurityContext: {}
++  podSecurityContext:
++    runAsNonRoot: true
++    seccompProfile:
++      type: RuntimeDefault
+   # -- Annotations to be added to cilium-operator pods
+   podAnnotations: {}
+   # -- Labels to be added to cilium-operator pods
+@@ -2543,7 +2597,7 @@ operator:
    podDisruptionBudget:
      # -- enable PodDisruptionBudget
      # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
@@ -179,7 +301,27 @@ index e46a039..f76a8af 100644
      # @schema
      # type: [null, integer, string]
      # @schema
-@@ -2656,7 +2668,7 @@ nodeinit:
+@@ -2566,8 +2620,17 @@ operator:
+   #     memory: 128Mi
+
+   # -- Security context to be added to cilium-operator pods
+-  securityContext: {}
+-  # runAsUser: 0
++  securityContext:
++    allowPrivilegeEscalation: false
++    capabilities:
++      drop:
++      - ALL
++    readOnlyRootFilesystem: true
++    runAsGroup: 65532
++    runAsNonRoot: true
++    runAsUser: 65532
++    seccompProfile:
++      type: RuntimeDefault
+
+   # -- Interval for endpoint garbage collection.
+   endpointGCInterval: "5m0s"
+@@ -2656,7 +2719,7 @@ nodeinit:
      repository: "${CILIUM_NODEINIT_REPO}"
      tag: "${CILIUM_NODEINIT_VERSION}"
      digest: "${CILIUM_NODEINIT_DIGEST}"
@@ -188,7 +330,7 @@ index e46a039..f76a8af 100644
      pullPolicy: "${PULL_POLICY}"
    # -- The priority class to use for the nodeinit pod.
    priorityClassName: ""
-@@ -3397,7 +3409,7 @@ authentication:
+@@ -3397,7 +3460,7 @@ authentication:
            repository: "${SPIRE_INIT_REPO}"
            tag: "${SPIRE_INIT_VERSION}"
            digest: "${SPIRE_INIT_DIGEST}"
@@ -197,7 +339,7 @@ index e46a039..f76a8af 100644
            pullPolicy: "${PULL_POLICY}"
          # SPIRE agent configuration
          agent:
-@@ -3410,7 +3422,7 @@ authentication:
+@@ -3410,7 +3473,7 @@ authentication:
              repository: "${SPIRE_AGENT_REPO}"
              tag: "${SPIRE_AGENT_VERSION}"
              digest: "${SPIRE_AGENT_DIGEST}"
@@ -206,7 +348,7 @@ index e46a039..f76a8af 100644
              pullPolicy: "${PULL_POLICY}"
            # -- SPIRE agent service account
            serviceAccount:
-@@ -3461,7 +3473,7 @@ authentication:
+@@ -3461,7 +3524,7 @@ authentication:
              repository: "${SPIRE_SERVER_REPO}"
              tag: "${SPIRE_SERVER_VERSION}"
              digest: "${SPIRE_SERVER_DIGEST}"
@@ -215,7 +357,7 @@ index e46a039..f76a8af 100644
              pullPolicy: "${PULL_POLICY}"
            # -- SPIRE server service account
            serviceAccount:
-@@ -3539,3 +3551,40 @@ authentication:
+@@ -3539,3 +3602,40 @@ authentication:
        agentSocketPath: /run/spire/sockets/agent/agent.sock
        # -- SPIRE connection timeout
        connectionTimeout: 30s