Merge pull request #139 from bytedance/tighten-agent

feat: Run agent in an unprivileged container
bytedance · Dec 4, 2024 · 349f4c0 · 349f4c0
2 parents 9af42e3 + 2943f21
commit 349f4c0
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 3 deletions.
diff --git a/cmd/varmor/main.go b/cmd/varmor/main.go
@@ -25,6 +25,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/kyverno/kyverno/pkg/leaderelection"
 	_ "go.uber.org/automaxprocs"
+	"golang.org/x/sys/unix"
 	kubeinformers "k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/util/retry"
@@ -156,6 +157,15 @@ func main() {
 	if agent {
 		setupLog.Info("vArmor agent startup")
 
+		// RemoveMemlock requires the write permission for /proc/sys/kernel/printk_ratelimit
+		if !debug {
+			err = unix.Unmount("/proc/sys", 0)
+			if err != nil {
+				setupLog.Error(err, "unix.Unmount(\"/proc/sys\", 0)")
+				os.Exit(1)
+			}
+		}
+
 		agentCtrl, err := varmoragent.NewAgent(
 			kubeClient.CoreV1().Pods(config.Namespace),
 			varmorClient.CrdV1beta1(),

diff --git a/config/manifest/agent.yaml b/config/manifest/agent.yaml
@@ -17,6 +17,8 @@ spec:
       labels:
         app: varmor
         app.kubernetes.io/name: varmor-agent
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/agent: unconfined
     spec:
       hostPID: true
       serviceAccountName: varmor-agent
@@ -31,7 +33,13 @@ spec:
         - --enableBpfEnforcer
         - --enableBehaviorModeling
         securityContext:
-          privileged: true
+          capabilities:
+            add:
+            - SYS_ADMIN
+            - BPF
+            - SYS_RESOURCE
+            - SYS_PTRACE
+            - MAC_ADMIN
           runAsUser: 0
         volumeMounts:
         - mountPath: /sys/kernel/security

diff --git a/manifests/varmor/templates/daemonsets/agent.yaml b/manifests/varmor/templates/daemonsets/agent.yaml
@@ -13,6 +13,13 @@ spec:
     metadata:
       labels:
         {{- include "varmor.agent.selectorLabels" . | nindent 8 }}
+      annotations:
+        {{- with .Values.agent.podAnnotations }}
+            {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- if semverCompare "<1.30.0-0" .Capabilities.KubeVersion.Version }}
+        container.apparmor.security.beta.kubernetes.io/agent: unconfined
+        {{- end }}
     spec:
       {{- if .Values.image.password }}
       imagePullSecrets:
@@ -58,7 +65,13 @@ spec:
           {{- end }}
         {{- end }}
         securityContext:
-          {{- toYaml .Values.agent.securityContext | nindent 10 }}
+          {{- with .Values.agent.securityContext }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+          {{- if semverCompare ">=1.30.0-0" .Capabilities.KubeVersion.Version }}
+          appArmorProfile:
+            type: Unconfined
+          {{- end }}
         volumeMounts:
         - mountPath: /sys/kernel/security
           name: securityfs

diff --git a/manifests/varmor/values.yaml b/manifests/varmor/values.yaml
@@ -143,7 +143,13 @@ agent:
     tag: ""
 
   securityContext:
-    privileged: true
+    capabilities:
+      add:
+      - SYS_ADMIN
+      - BPF
+      - SYS_RESOURCE
+      - SYS_PTRACE
+      - MAC_ADMIN
     runAsUser: 0
 
   args: []