feat(chart): Make security context configurable (envoyproxy#4536)

* Make security context configurable

Signed-off-by: Tamal Saha <[email protected]>

* make gen-check

Signed-off-by: Tamal Saha <[email protected]>

* Update current.yaml

Signed-off-by: Tamal Saha <[email protected]>

---------

Signed-off-by: Tamal Saha <[email protected]>
(cherry picked from commit 20a4622)
Signed-off-by: Huabing Zhao <[email protected]>

Author: tamalsaha

charts/gateway-helm/README.md

@@ -59,7 +59,7 @@ To uninstall the chart:
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
+| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
 | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` |  |
 | config.envoyGateway.logging.level.default | string | `"info"` |  |
 | config.envoyGateway.provider.type | string | `"Kubernetes"` |  |
@@ -71,6 +71,13 @@ To uninstall the chart:
 | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` |  |
 | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` |  |
 | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` |  |
+| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| deployment.envoyGateway.securityContext.privileged | bool | `false` |  |
+| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` |  |
+| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` |  |
+| deployment.envoyGateway.securityContext.runAsUser | int | `65532` |  |
+| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | deployment.pod.affinity | object | `{}` |  |
 | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` |  |
 | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` |  |

charts/gateway-helm/templates/certgen.yaml

@@ -39,17 +39,7 @@ spec:
           {{- toYaml . | nindent 10 }}
         {{- end }}
         securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          privileged: false
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          runAsGroup: 65534
-          runAsUser: 65534
-          seccompProfile:
-            type: RuntimeDefault
+          {{- toYaml .Values.certgen.job.securityContext | nindent 10 }}
       {{- include "eg.image.pullSecrets" . | nindent 6 }}
       {{- with .Values.certgen.job.affinity }}
       affinity:

charts/gateway-helm/templates/envoy-gateway-deployment.yaml

@@ -30,7 +30,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- with .Values.deployment.pod.nodeSelector }}
-      nodeSelector: 
+      nodeSelector:
         {{ toYaml . | nindent 8 }}
       {{- end }}
       {{- with .Values.deployment.pod.topologySpreadConstraints }}
@@ -73,19 +73,10 @@ spec:
             port: 8081
           initialDelaySeconds: 5
           periodSeconds: 10
-        resources: {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10
-          }}
+        resources:
+          {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10 }}
         securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          privileged: false
-          runAsNonRoot: true
-          runAsGroup: 65532
-          runAsUser: 65532
-          seccompProfile:
-            type: RuntimeDefault
+          {{- toYaml .Values.deployment.envoyGateway.securityContext | nindent 10 }}
         volumeMounts:
         - mountPath: /config
           name: envoy-gateway-config

charts/gateway-helm/values.tmpl.yaml

@@ -35,6 +35,17 @@ deployment:
       requests:
         cpu: 100m
         memory: 256Mi
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      privileged: false
+      runAsNonRoot: true
+      runAsGroup: 65532
+      runAsUser: 65532
+      seccompProfile:
+        type: RuntimeDefault
   ports:
     - name: grpc
       port: 18000
@@ -86,6 +97,18 @@ certgen:
     tolerations: []
     nodeSelector: {}
     ttlSecondsAfterFinished: 30
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+      runAsGroup: 65534
+      runAsUser: 65534
+      seccompProfile:
+        type: RuntimeDefault
   rbac:
     annotations: {}
     labels: {}

release-notes/current.yaml

@@ -10,7 +10,7 @@ security updates: |
 
 # New features or capabilities added in this release.
 new features: |
-  Add a new feature here
+  Add support for modifying container securityContext for Envoy Gateway deployment in Helm
 
 # Fixes for bugs identified in previous versions.
 bug fixes: |

site/content/en/latest/install/gateway-helm-api.md

@@ -23,7 +23,7 @@ The Helm chart for Envoy Gateway
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
+| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
 | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` |  |
 | config.envoyGateway.logging.level.default | string | `"info"` |  |
 | config.envoyGateway.provider.type | string | `"Kubernetes"` |  |
@@ -35,6 +35,13 @@ The Helm chart for Envoy Gateway
 | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` |  |
 | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` |  |
 | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` |  |
+| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| deployment.envoyGateway.securityContext.privileged | bool | `false` |  |
+| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` |  |
+| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` |  |
+| deployment.envoyGateway.securityContext.runAsUser | int | `65532` |  |
+| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | deployment.pod.affinity | object | `{}` |  |
 | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` |  |
 | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` |  |

site/content/zh/latest/install/gateway-helm-api.md

@@ -23,7 +23,7 @@ The Helm chart for Envoy Gateway
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
+| certgen | object | `{"job":{"affinity":{},"annotations":{},"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
 | config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` |  |
 | config.envoyGateway.logging.level.default | string | `"info"` |  |
 | config.envoyGateway.provider.type | string | `"Kubernetes"` |  |
@@ -35,6 +35,13 @@ The Helm chart for Envoy Gateway
 | deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` |  |
 | deployment.envoyGateway.resources.requests.cpu | string | `"100m"` |  |
 | deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` |  |
+| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| deployment.envoyGateway.securityContext.privileged | bool | `false` |  |
+| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` |  |
+| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` |  |
+| deployment.envoyGateway.securityContext.runAsUser | int | `65532` |  |
+| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | deployment.pod.affinity | object | `{}` |  |
 | deployment.pod.annotations."prometheus.io/port" | string | `"19001"` |  |
 | deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` |  |

test/helm/gateway-helm/certjen-custom-scheduling.out.yaml

@@ -432,8 +432,8 @@ spec:
             drop:
             - ALL
           privileged: false
-          runAsNonRoot: true
           runAsGroup: 65532
+          runAsNonRoot: true
           runAsUser: 65532
           seccompProfile:
             type: RuntimeDefault
@@ -563,8 +563,8 @@ spec:
             - ALL
           privileged: false
           readOnlyRootFilesystem: true
-          runAsNonRoot: true
           runAsGroup: 65534
+          runAsNonRoot: true
           runAsUser: 65534
           seccompProfile:
             type: RuntimeDefault

test/helm/gateway-helm/control-plane-with-pdb.out.yaml

@@ -447,8 +447,8 @@ spec:
             drop:
             - ALL
           privileged: false
-          runAsNonRoot: true
           runAsGroup: 65532
+          runAsNonRoot: true
           runAsUser: 65532
           seccompProfile:
             type: RuntimeDefault
@@ -578,8 +578,8 @@ spec:
             - ALL
           privileged: false
           readOnlyRootFilesystem: true
-          runAsNonRoot: true
           runAsGroup: 65534
+          runAsNonRoot: true
           runAsUser: 65534
           seccompProfile:
             type: RuntimeDefault

test/helm/gateway-helm/default-config.out.yaml

@@ -432,8 +432,8 @@ spec:
             drop:
             - ALL
           privileged: false
-          runAsNonRoot: true
           runAsGroup: 65532
+          runAsNonRoot: true
           runAsUser: 65532
           seccompProfile:
             type: RuntimeDefault
@@ -563,8 +563,8 @@ spec:
             - ALL
           privileged: false
           readOnlyRootFilesystem: true
-          runAsNonRoot: true
           runAsGroup: 65534
+          runAsNonRoot: true
           runAsUser: 65534
           seccompProfile:
             type: RuntimeDefault

test/helm/gateway-helm/deployment-custom-topology.out.yaml

@@ -460,8 +460,8 @@ spec:
             drop:
             - ALL
           privileged: false
-          runAsNonRoot: true
           runAsGroup: 65532
+          runAsNonRoot: true
           runAsUser: 65532
           seccompProfile:
             type: RuntimeDefault
@@ -591,8 +591,8 @@ spec:
             - ALL
           privileged: false
           readOnlyRootFilesystem: true
-          runAsNonRoot: true
           runAsGroup: 65534
+          runAsNonRoot: true
           runAsUser: 65534
           seccompProfile:
             type: RuntimeDefault

test/helm/gateway-helm/deployment-images-config.out.yaml

@@ -432,8 +432,8 @@ spec:
             drop:
             - ALL
           privileged: false
-          runAsNonRoot: true
           runAsGroup: 65532
+          runAsNonRoot: true
           runAsUser: 65532
           seccompProfile:
             type: RuntimeDefault
@@ -565,8 +565,8 @@ spec:
             - ALL
           privileged: false
           readOnlyRootFilesystem: true
-          runAsNonRoot: true
           runAsGroup: 65534
+          runAsNonRoot: true
           runAsUser: 65534
           seccompProfile:
             type: RuntimeDefault

test/helm/gateway-helm/deployment-priorityclass.out.yaml

@@ -432,8 +432,8 @@ spec:
             drop:
             - ALL
           privileged: false
-          runAsNonRoot: true
           runAsGroup: 65532
+          runAsNonRoot: true
           runAsUser: 65532
           seccompProfile:
             type: RuntimeDefault
@@ -564,8 +564,8 @@ spec:
             - ALL
           privileged: false
           readOnlyRootFilesystem: true
-          runAsNonRoot: true
           runAsGroup: 65534
+          runAsNonRoot: true
           runAsUser: 65534
           seccompProfile:
             type: RuntimeDefault

test/helm/gateway-helm/deployment-securitycontext.in.yaml

@@ -0,0 +1,32 @@
+global:
+  images:
+    envoyGateway:
+      image: "docker.io/envoyproxy/gateway-dev:latest"
+      pullPolicy: Always
+deployment:
+  envoyGateway:
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      privileged: false
+      runAsNonRoot: true
+      runAsGroup: 1000
+      runAsUser: 1000
+      seccompProfile:
+        type: RuntimeDefault
+certgen:
+  job:
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+      runAsGroup: 1000
+      runAsUser: 1000
+      seccompProfile:
+        type: RuntimeDefault