From 75ea8e9eb6ef7d1677f2af79503fbec3f93d335a Mon Sep 17 00:00:00 2001 From: Ram Lavi Date: Tue, 3 Jun 2025 21:01:16 +0300 Subject: [PATCH 1/3] linux-bridge, scc: Restrict SELinux context to MustRunAs with spc_t type Switch the SecurityContextConstraints (SCC) policy from RunAsAny to MustRunAs for the SELinux context. Additionally, specify the SELinux type as spc_t to better confine the privileged container. This strengthens the SELinux policy, ensuring that even privileged containers are restricted by a specific SELinux type, improving overall security posture. Signed-off-by: Ram Lavi --- data/linux-bridge/001-rbac.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/data/linux-bridge/001-rbac.yaml b/data/linux-bridge/001-rbac.yaml index 69fa2da13..5597a8fc3 100644 --- a/data/linux-bridge/001-rbac.yaml +++ b/data/linux-bridge/001-rbac.yaml @@ -20,7 +20,9 @@ readOnlyRootFilesystem: false runAsUser: type: RunAsAny seLinuxContext: - type: RunAsAny + type: MustRunAs + seLinuxOptions: + type: spc_t users: - system:serviceaccount:{{ .Namespace }}:linux-bridge volumes: From dbea23adc7db74fdc2b7c1dbf4105180189df425 Mon Sep 17 00:00:00 2001 From: Ram Lavi Date: Tue, 3 Jun 2025 21:01:48 +0300 Subject: [PATCH 2/3] linux-bridge, scc: Restrict volumes paths. Limit the allowed volume types in the SCC to only hostPath, configMap, and secret, removing the wildcard "*" that allowed all volume types. This reduces the container's access to only the required volume types and follows the principle of least privilege for better security hardening. Signed-off-by: Ram Lavi --- data/linux-bridge/001-rbac.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/data/linux-bridge/001-rbac.yaml b/data/linux-bridge/001-rbac.yaml index 5597a8fc3..fc630505a 100644 --- a/data/linux-bridge/001-rbac.yaml +++ b/data/linux-bridge/001-rbac.yaml @@ -26,5 +26,7 @@ seLinuxContext: users: - system:serviceaccount:{{ .Namespace }}:linux-bridge volumes: -- "*" + - hostPath + - configMap + - secret {{ end }} From 26d5db95e20d0381d95e707ba1ce765478b065b8 Mon Sep 17 00:00:00 2001 From: Ram Lavi Date: Thu, 5 Jun 2025 11:03:52 +0300 Subject: [PATCH 3/3] linux-bridge, scc: Enable readOnlyRootFilesystem with writable /tmp emptyDir Harden the linux-bridge DaemonSet by enabling readOnlyRootFilesystem: true, ensuring that the container's root filesystem is immutable to enhance security. Since some system utilities (e.g., bash, cp, sha256sum) may require a writable /tmp directory, mount an emptyDir at /tmp to provide a writable scratch space, following container security best practices [0]. Also update the associated SCC to enforce readOnlyRootFilesystem: true at the policy level. [0] https://redhat-best-practices-for-k8s.github.io/guide/#k8s-best-practices-storage:-emptydir Signed-off-by: Ram Lavi --- data/linux-bridge/001-rbac.yaml | 3 ++- data/linux-bridge/002-linux-bridge.yaml | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/data/linux-bridge/001-rbac.yaml b/data/linux-bridge/001-rbac.yaml index fc630505a..0ecb92211 100644 --- a/data/linux-bridge/001-rbac.yaml +++ b/data/linux-bridge/001-rbac.yaml @@ -16,7 +16,7 @@ allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false -readOnlyRootFilesystem: false +readOnlyRootFilesystem: true runAsUser: type: RunAsAny seLinuxContext: @@ -29,4 +29,5 @@ volumes: - hostPath - configMap - secret + - emptyDir {{ end }} diff --git a/data/linux-bridge/002-linux-bridge.yaml b/data/linux-bridge/002-linux-bridge.yaml index 416d2550e..e6b6d9293 100644 --- a/data/linux-bridge/002-linux-bridge.yaml +++ b/data/linux-bridge/002-linux-bridge.yaml @@ -69,11 +69,16 @@ spec: memory: "15Mi" securityContext: privileged: true + readOnlyRootFilesystem: true volumeMounts: - name: cnibin mountPath: /opt/cni/bin + - name: tmp + mountPath: /tmp terminationMessagePolicy: FallbackToLogsOnError volumes: - name: cnibin hostPath: path: {{ .CNIBinDir }} + - name: tmp + emptyDir: { }