feat: misc security improvements

Dockerfile

@@ -17,8 +17,12 @@ RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
 
 FROM alpine:3.18 as final
 
+RUN addgroup -g 1000 appgroup && adduser -u 1000 -G appgroup -D webhook
+
 RUN apk add --no-cache ca-certificates
 
+USER 1000
+
 COPY --from=build /workspace/webhook /usr/local/bin/webhook
 
 ENTRYPOINT ["webhook"]

deploy/cert-manager-ibm-cis-webhook/Chart.yaml

@@ -2,4 +2,4 @@ apiVersion: v1
 appVersion: "1.0"
 description: A Helm chart for Kubernetes
 name: cert-manager-ibm-cis-webhook
-version: 1.0.0
+version: 1.1.0

deploy/cert-manager-ibm-cis-webhook/templates/deployment.yaml

@@ -19,7 +19,12 @@ spec:
       labels:
         app: {{ include "cert-manager-ibm-cis-webhook.name" . }}
         release: {{ .Release.Name }}
+      annotations:
+        checksum/secrets: {{ include (print $.Template.BasePath "/secret.yaml") $ | sha256sum }}
+
     spec:
+      securityContext:
+        runAsNonRoot: true
       serviceAccountName: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}
       imagePullSecrets:
       {{- range .Values.imagePullSecrets }}
@@ -30,16 +35,20 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
+            - --secure-port={{ .Values.containerPort }}
             - --tls-cert-file=/tls/tls.crt
             - --tls-private-key-file=/tls/tls.key
           env:
             - name: GROUP_NAME
               value: {{ .Values.groupName | quote }}
             - name: IBMCLOUD_API_KEY
-              value: {{ .Values.ibmCloudApiKey | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}-ibmcis-credentials
+                  key: api-token
           ports:
             - name: https
-              containerPort: 443
+              containerPort: {{ .Values.containerPort }}
               protocol: TCP
           livenessProbe:
             httpGet:
@@ -51,6 +60,12 @@ spec:
               scheme: HTTPS
               path: /healthz
               port: https
+          securityContext:
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
           volumeMounts:
             - name: certs
               mountPath: /tls

deploy/cert-manager-ibm-cis-webhook/templates/networkpolicies.yaml

@@ -0,0 +1,52 @@
+{{- if .Values.networkPolicies.enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}-allow-dns
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ include "cert-manager-ibm-cis-webhook.name" . }}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector: {}
+      podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+    - protocol: UDP
+      port: 53
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}-allow-ingress
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ include "cert-manager-ibm-cis-webhook.name" . }}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector: {}
+    ports:
+    - protocol: TCP
+      port: {{ .Values.containerPort }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-to-k8s-api
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ include "cert-manager-ibm-cis-webhook.name" . }}
+  policyTypes:
+    - Egress
+  egress:
+    - {}
+{{- end }}

deploy/cert-manager-ibm-cis-webhook/templates/secret.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: ibmcis-credentials
+  name: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}-ibmcis-credentials
 type: Opaque
 stringData:
   api-token: {{ .Values.ibmCloudApiKey | quote }}

deploy/cert-manager-ibm-cis-webhook/values.yaml

@@ -10,6 +10,9 @@ groupName: acme.skills.network
 
 ibmCloudApiKey: ""
 
+networkPolicies:
+  enabled: false
+
 certManager:
   namespace: cert-manager
   serviceAccountName: cert-manager
@@ -25,6 +28,8 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
+containerPort: 8443
+
 service:
   type: ClusterIP
   port: 443