fix(deploy) increase container security

Change default values to run containers with read-only file system and
non-root user for both kong and gateway-operator charts.

Signed-off-by: Gerald Pape <[email protected]>

.kube-linter.yaml

@@ -1,8 +1,4 @@
 checks:
   exclude:
-    # TODO: exclude no rule
-    # https://github.com/Kong/charts/issues/753
-    - "no-read-only-root-fs"
-    - "run-as-non-root"
     - "unset-cpu-requirements"
     - "unset-memory-requirements"

charts/gateway-operator/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## Unreleased
+
+## Changes
+
+- Set `readOnlyRootFilesystem: true` for kube-rbac-proxy
+  [#1057](https://github.com/Kong/charts/pull/1057)
+
 ## 0.4.9
 
 ## Changes

charts/gateway-operator/ci/__snapshots__/affinity-values.snap

@@ -798,6 +798,8 @@ spec:
         - containerPort: 8443
           name: https
           protocol: TCP
+        securityContext:
+          readOnlyRootFilesystem: true
         resources:
           limits:
             cpu: 500m

charts/gateway-operator/ci/__snapshots__/disable-gateway-controller-values.snap

@@ -790,6 +790,8 @@ spec:
         - containerPort: 8443
           name: https
           protocol: TCP
+        securityContext:
+          readOnlyRootFilesystem: true
         resources:
           limits:
             cpu: 500m

charts/gateway-operator/ci/__snapshots__/env-and-args-values.snap

@@ -790,6 +790,8 @@ spec:
         - containerPort: 8443
           name: https
           protocol: TCP
+        securityContext:
+          readOnlyRootFilesystem: true
         resources:
           limits:
             cpu: 500m

charts/gateway-operator/ci/__snapshots__/env-and-customenv-values.snap

@@ -792,6 +792,8 @@ spec:
         - containerPort: 8443
           name: https
           protocol: TCP
+        securityContext:
+          readOnlyRootFilesystem: true
         resources:
           limits:
             cpu: 500m

charts/gateway-operator/ci/__snapshots__/extra-labels-values.snap

@@ -790,6 +790,8 @@ spec:
         - containerPort: 8443
           name: https
           protocol: TCP
+        securityContext:
+          readOnlyRootFilesystem: true
         resources:
           limits:
             cpu: 500m

charts/gateway-operator/ci/__snapshots__/nightly-can-be-used-values.snap

@@ -788,6 +788,8 @@ spec:
         - containerPort: 8443
           name: https
           protocol: TCP
+        securityContext:
+          readOnlyRootFilesystem: true
         resources:
           limits:
             cpu: 500m

charts/gateway-operator/ci/__snapshots__/probes-and-args-values.snap

@@ -790,6 +790,8 @@ spec:
         - containerPort: 8443
           name: https
           protocol: TCP
+        securityContext:
+          readOnlyRootFilesystem: true
         resources:
           limits:
             cpu: 500m

charts/gateway-operator/ci/__snapshots__/tolerations-values.snap

@@ -792,6 +792,8 @@ spec:
         - containerPort: 8443
           name: https
           protocol: TCP
+        securityContext:
+          readOnlyRootFilesystem: true
         resources:
           limits:
             cpu: 500m

charts/gateway-operator/templates/deployment.yaml

@@ -90,6 +90,8 @@ spec:
         - containerPort: 8443
           name: https
           protocol: TCP
+        securityContext:
+          readOnlyRootFilesystem: true
         resources:
 {{ toYaml .Values.kubeRBACProxy.resources | indent 10 }}
 {{- end }}

charts/kong/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## Unreleased
+
+### Fixes
+
+* Run containers with read-only file system and non-root user to increase container and pod security.
+  [#1057](https://github.com/Kong/charts/pull/1057)
+
 ## 2.47.0
 
 ### Changes
@@ -346,27 +353,27 @@
 
 ## 2.26.5
 
-### Fixed 
+### Fixed
 
 * Kuma ServiceAccount Token hints and volumes are also available in migrations
   Pods.
   [#877](https://github.com/Kong/charts/pull/877)
 
 ## 2.26.4
 
-### Fixed 
+### Fixed
 
-* updated `admin_api_uri` to `admin_gui_api_url` as per [kong documentation](https://docs.konghq.com/gateway/3.4.x/reference/configuration/#admin_api_uri). 
+* updated `admin_api_uri` to `admin_gui_api_url` as per [kong documentation](https://docs.konghq.com/gateway/3.4.x/reference/configuration/#admin_api_uri).
 
 ## 2.26.3
 
-### Fixed 
+### Fixed
 
 * Enabled Service and Ingress in Kong Manager for non enterprise users.
 
 ## 2.26.2
 
-### Fixed 
+### Fixed
 
 * Add missing CRD KongConsumerGroup and extend status subresource for CRDs
 

charts/kong/README.md

@@ -467,7 +467,7 @@ listens if you do not provide your own. The chart can create
 configure them for you. To use this integration, install cert-manager, create
 an issuer, set `certificates.enabled: true` in values.yaml, and set your issuer
 name in `certificates.issuer` or `certificates.clusterIssuer` depending on the
-issuer type. 
+issuer type.
 
 If you do not have an issuer available, you can install the example [self-signed ClusterIssuer](https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers)
 and set `certificates.clusterIssuer: selfsigned-issuer` for testing. You
@@ -709,7 +709,7 @@ or `ingress` sections, as it is used only for stream listens.
 
 #### Admin Service mTLS
 
-On top of the common parameters listed above, the `admin` service supports parameters for mTLS client verification. 
+On top of the common parameters listed above, the `admin` service supports parameters for mTLS client verification.
 If any of `admin.tls.client.caBundle` or `admin.tls.client.secretName` are set, the admin service will be configured to
 require mTLS client verification. If both are set, `admin.tls.client.caBundle` will take precedence.
 
@@ -910,7 +910,7 @@ On the Gateway release side, set either `admin.tls.client.secretName` to the nam
 | podSecurityPolicy.spec             | Collection of [PodSecurityPolicy settings](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy) | |
 | priorityClassName                  | Set pod scheduling priority class for Kong pods                                       | `""`                |
 | secretVolumes                      | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]`                |
-| securityContext                    | Set the securityContext for Kong Pods                                                 | `{}`                |
+| securityContext                    | Set the securityContext for Kong Pods                                                 | See values.yaml     |
 | containerSecurityContext           | Set the securityContext for Containers                                                | See values.yaml     |
 | serviceMonitor.enabled             | Create ServiceMonitor for Prometheus Operator                                         | `false`             |
 | serviceMonitor.trustCRDsExist      | Do not check for the Prometheus Operator CRDs, just try to deploy                     | `false`             |
@@ -938,11 +938,11 @@ containerSecurityContext: # run as root to bind to lower ports
   runAsUser: 0
 ```
 
-**Note:** The default `podAnnotations` values disable inbound proxying for Kuma 
-and Istio. This is appropriate when using Kong as a gateway for external 
+**Note:** The default `podAnnotations` values disable inbound proxying for Kuma
+and Istio. This is appropriate when using Kong as a gateway for external
 traffic inbound into the cluster.
 
-If you want to use Kong as an internal proxy within the cluster network, you 
+If you want to use Kong as an internal proxy within the cluster network, you
 should enable inbound the inbound mesh proxies:
 
 ```yaml