🔒️ Hardening - reduce OpenVPN preconfiguration and runtime privilege (Linux capabilities)

ndebuhr · ndebuhr · commit d5a50485e238 · 2022-01-02T00:50:23.000Z
diff --git a/README.md b/README.md
@@ -374,7 +374,7 @@ Access the components that you've enabled in the Helm values (after authenticati
 * code.YOUR_DOMAIN for Code Server IDE
 * code-dev-server.YOUR_DOMAIN for a development web server
     * e.g. `hugo serve -D --bind=0.0.0.0 --baseUrl=hugo.YOUR_DOMAIN --appendPort=false` in Code Server
-* pgweb.YOUR_DOMAIN for Pgweb (for VPN initialization, `kubectl exec` and then `openvpn --config /etc/client.ovpn`)
+* pgweb.YOUR_DOMAIN for Pgweb
 * selenium-hub.YOUR_DOMAIN for Selenium Grid hub
 * selenium-chrome.YOUR_DOMAIN for Selenium node (Chrome)
 * selenium-firefox.YOUR_DOMAIN for Selenium node (Firefox)
diff --git a/deploy/templates/code.yaml b/deploy/templates/code.yaml
@@ -64,7 +64,8 @@ spec:
         - name: PASSWORD
           value: "{{ .Values.authentication.password }}"
         securityContext:
-          privileged: true
+          capabilities:
+            add: ["NET_ADMIN"]
         resources: {{ toYaml .Values.code.resources | nindent 10 }}
         volumeMounts:
         - name: coder
@@ -73,11 +74,6 @@ spec:
         - name: coder-profile
           mountPath: /home/coder/.profile
           subPath: .profile
-        {{ if eq .Values.code.ovpn true }}
-        - name: client-ovpn
-          mountPath: /etc/client.ovpn
-          subPath: client.ovpn
-        {{ end }}
       - name: dind-daemon
         image: {{ .Values.code.dind.image }}
         env:
@@ -101,12 +97,6 @@ spec:
         configMap:
           name: coder-profile-v1
           defaultMode: 0644
-      {{ if eq .Values.code.ovpn true }}
-      - name: client-ovpn
-        secret:
-          secretName: client-ovpn
-          defaultMode: 0400
-      {{ end }}
 {{ if eq .Values.policies.enabled true }}
 ---
 apiVersion: networking.k8s.io/v1
diff --git a/deploy/templates/jupyter.yaml b/deploy/templates/jupyter.yaml
@@ -41,27 +41,15 @@ spec:
         - name: GRANT_SUDO
           value: "yes"
         securityContext:
-          privileged: true
           runAsUser: 0
         resources: {{ toYaml .Values.jupyter.resources | nindent 10 }}
         volumeMounts:
         - name: jupyter
           mountPath: /home/jovyan/work
-        {{ if eq .Values.jupyter.ovpn true }}
-        - name: client-ovpn
-          mountPath: /etc/client.ovpn
-          subPath: client.ovpn
-        {{ end }}
       volumes:
       - name: jupyter
         persistentVolumeClaim:
           claimName: jupyter-pvc
-      {{ if eq .Values.jupyter.ovpn true }}
-      - name: client-ovpn
-        secret:
-          secretName: client-ovpn
-          defaultMode: 0400
-      {{ end }}
 {{ if eq .Values.policies.enabled true }}
 ---
 apiVersion: networking.k8s.io/v1
diff --git a/deploy/templates/pgweb.yaml b/deploy/templates/pgweb.yaml
@@ -34,20 +34,7 @@ spec:
       containers:
       - name: pgweb
         image: {{ .Values.pgweb.image }}
-        securityContext:
-          privileged: true
         resources: {{ toYaml .Values.pgweb.resources | nindent 10 }}
-        {{ if eq .Values.pgweb.ovpn true }}
-        volumeMounts:
-        - name: client-ovpn
-          mountPath: /etc/client.ovpn
-          subPath: client.ovpn
-      volumes:
-      - name: client-ovpn
-        secret:
-          secretName: client-ovpn
-          defaultMode: 0400
-      {{ end }}
 {{ if eq .Values.policies.enabled true }}
 ---
 apiVersion: networking.k8s.io/v1
diff --git a/deploy/templates/sftp.yaml b/deploy/templates/sftp.yaml
@@ -37,8 +37,6 @@ spec:
       - name: sftp
         image: {{ .Values.sftp.image }}
         args: ["{{ .Values.authentication.username }}:{{ .Values.authentication.password }}:1001:100"]
-        securityContext:
-          privileged: true
         resources: {{ toYaml .Values.sftp.resources | nindent 10 }}
         volumeMounts:
         - name: sftp
diff --git a/deploy/values.yaml b/deploy/values.yaml
@@ -55,9 +55,6 @@ oauth2Proxy:
 code:
   enabled: true
   image: ndebuhr/cloud-native-workstation-code-server:v0.13.1
-  # For accessing cloud resources over VPN, set ovpn=true and:
-  # kubectl create secret generic client-ovpn --from-file=client.ovpn
-  ovpn: false
   storage: 32Gi
   resources: {}
   dind:
@@ -69,9 +66,6 @@ code:
 pgweb:
   enabled: false
   image: ndebuhr/cloud-native-workstation-pgweb:v0.13.1
-  # For accessing databases over VPN, set ovpn=true and:
-  # kubectl create secret generic client-ovpn --from-file=client.ovpn
-  ovpn: false
   resources: {}
 
 # SFTP server
@@ -104,9 +98,6 @@ selenium:
 jupyter:
   enabled: false
   image: ndebuhr/cloud-native-workstation-jupyter:v0.13.1
-  # For accessing cloud resources over VPN, set ovpn=true and:
-  # kubectl create secret generic client-ovpn --from-file=client.ovpn
-  ovpn: false
   storage: 32Gi
   gpu:
     enabled: false
