diff --git a/.helmignore b/.helmignore index 4bfefaf86a..739ec620d5 100644 --- a/.helmignore +++ b/.helmignore @@ -6,8 +6,19 @@ images lib Makefile openapi +src +test +tools *.md release.yaml werf*.yaml NOTES.txt +.dmtlint.yaml +.editorconfig .git +.github +.gocache +.idea +.mirrods +.pi* +.prettierignore diff --git a/Chart.yaml b/Chart.yaml index 6edc72f1c5..795cb09972 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -2,5 +2,5 @@ name: virtualization version: 0.0.1 dependencies: - name: deckhouse_lib_helm - version: 1.55.1 + version: 1.72.0 repository: https://deckhouse.github.io/lib-helm diff --git a/Taskfile.yaml b/Taskfile.yaml index e698b063ed..0210a7b4d1 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -26,7 +26,7 @@ includes: dir: ./src/cli vars: - deckhouse_lib_helm_ver: 1.55.1 + deckhouse_lib_helm_ver: 1.72.0 TRIVY_VERSION: 0.55.0 target: "" VALIDATION_FILES: "tools/validation/{main,messages,diff,no_cyrillic,doc_changes}.go" @@ -102,16 +102,32 @@ tasks: deps: - check-helm cmds: - - helm repo add deckhouse https://deckhouse.github.io/lib-helm - - helm repo update deckhouse - - helm dep update + - | + echo -e "Step 1: Add deckhouse Helm repo\n" + helm repo add deckhouse https://deckhouse.github.io/lib-helm + echo -e "\nStep 2: Update deckhouse Helm repo\n" + helm repo update deckhouse + echo -e "\nStep 3: Update dependencies\n" + helm dep update helm-bump-helm-lib: deps: - check-yq cmds: + - | + lib_helm_ver=$(yq '.dependencies[] | select(.name == "deckhouse_lib_helm").version' Chart.yaml) + echo lib_helm version before update: $lib_helm_ver && echo - yq -i '.dependencies[] |= select(.name == "deckhouse_lib_helm").version = "{{ .deckhouse_lib_helm_ver }}"' Chart.yaml - task: helm-update-subcharts + - | + lib_helm_ver=$(yq '.dependencies[] | select(.name == "deckhouse_lib_helm").version' Chart.yaml) + echo && echo lib_helm version after update: $lib_helm_ver + + helm-render: + deps: + - check-helm + cmds: + - helm template virtualization . -f tools/kubeconform/fixtures/module-values.yaml --debug --devel > helm-template-render.yaml build: deps: diff --git a/charts/deckhouse_lib_helm-1.55.1.tgz b/charts/deckhouse_lib_helm-1.55.1.tgz deleted file mode 100644 index 73159b8f03..0000000000 Binary files a/charts/deckhouse_lib_helm-1.55.1.tgz and /dev/null differ diff --git a/charts/deckhouse_lib_helm-1.72.0.tgz b/charts/deckhouse_lib_helm-1.72.0.tgz new file mode 100644 index 0000000000..bf178e500c Binary files /dev/null and b/charts/deckhouse_lib_helm-1.72.0.tgz differ diff --git a/requirements.lock b/requirements.lock index 699cff2720..c297814352 100644 --- a/requirements.lock +++ b/requirements.lock @@ -1,6 +1,6 @@ dependencies: - name: deckhouse_lib_helm repository: https://deckhouse.github.io/lib-helm - version: 1.55.1 -digest: sha256:5bdef3964d2672b8ff290f32e22569bc502e040e4e70274cab1762f27d9982e0 -generated: "2025-05-30T11:27:37.094721+03:00" + version: 1.72.0 +digest: sha256:f726180e4e40570dbeb4ed1cf000fe1a971458e68272a246745ce8c00ccf2e36 +generated: "2026-06-03T23:47:51.611585+03:00" diff --git a/templates/kubevirt/_kubevirt_helpers.tpl b/templates/kubevirt/_kubevirt_helpers.tpl index a0ab7298d8..36f21d5e13 100644 --- a/templates/kubevirt/_kubevirt_helpers.tpl +++ b/templates/kubevirt/_kubevirt_helpers.tpl @@ -169,6 +169,46 @@ spec: '{{ include "kubevirt.virt_handler_probes_strategic_patch" . | fromYaml | toJson }}' {{- end }} + +{{- define "kubevirt.virt_handler_security_contexts_strategic_patch" -}} +spec: + template: + spec: + containers: + - name: virt-handler + securityContext: + privileged: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: true + runAsUser: 0 + runAsGroup: 0 + seLinuxOptions: + level: s0 + - name: virt-launcher-image-holder + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - name: virt-launcher + securityContext: + privileged: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: true + runAsUser: 0 + runAsGroup: 0 +{{- end -}} + + +{{- define "kubevirt.virt_handler_security_contexts_strategic_patch_json" -}} +'{{ include "kubevirt.virt_handler_security_contexts_strategic_patch" . | fromYaml | toJson }}' +{{- end }} + + {{/* Calculate parallel migrations per cluster. This template returns: - Count of nodes with virt-handler if kubevirt config is in 'Deployed' phase. diff --git a/templates/kubevirt/kubevirt.yaml b/templates/kubevirt/kubevirt.yaml index be76ae70bc..2847af76f5 100644 --- a/templates/kubevirt/kubevirt.yaml +++ b/templates/kubevirt/kubevirt.yaml @@ -290,10 +290,23 @@ env: type: strategic patch: '{"spec":{"template":{"spec":{"containers":[ {"name":"virt-controller","env":{{ include "virt-controller-additional-envs" . | fromYaml | pluck "env" | first | toJson }} } ]}}}}' - # Label for SecurityPolicyException +# Labels to link with SecurityPolicyExceptions. +{{ define "security-policy-exception-link-labels" }} +labels: + # main container. + security.deckhouse.io/security-policy-exception/virt-handler: virt-handler-ds-virt-handler-container + # node-labeller container + security.deckhouse.io/security-policy-exception/virt-launcher: virt-handler-ds-virt-launcher-container +{{ end }} + - resourceName: virt-handler + resourceType: DaemonSet + patch: '{"spec":{"template":{"metadata": {{ include "security-policy-exception-link-labels" . | fromYaml | toJson }} }}}' + type: strategic + + # Explicit values in securityContext for containers to support SecurityPolicyException. - resourceName: virt-handler resourceType: DaemonSet - patch: '{"spec":{"template":{"metadata":{"labels":{"security.deckhouse.io/security-policy-exception": "virt-handler-ds"}}}}}' + patch: {{ include "kubevirt.virt_handler_security_contexts_strategic_patch_json" . }} type: strategic # Expose virt-handler ports: health API (--port) and console server (--console-server-port). diff --git a/templates/kubevirt/virt-handler/security-policy-exception.yaml b/templates/kubevirt/virt-handler/security-policy-exception.yaml index b5cfff59e2..daa97f7e77 100644 --- a/templates/kubevirt/virt-handler/security-policy-exception.yaml +++ b/templates/kubevirt/virt-handler/security-policy-exception.yaml @@ -3,7 +3,7 @@ apiVersion: deckhouse.io/v1alpha1 kind: SecurityPolicyException metadata: - name: virt-handler-ds + name: virt-handler-ds-virt-handler-container namespace: d8-{{ .Chart.Name }} {{- include "helm_lib_module_labels" (list . (dict "app" .Chart.Name)) | nindent 2 }} spec: @@ -44,11 +44,26 @@ spec: description: | Virt-handler component needs hostNetwork to manipulate node route tables to allow traffic between virtual machines. + hostPorts: + - port: 4100 + protocol: TCP + metadata: + description: | + Allow hostPort 4100 for metrics and health check service. + Virt-handler component requires hostNetwork and metrics and health check service should be accessible via hostPort. + - port: 4101 + protocol: TCP + metadata: + description: | + Allow hostPort 4101 for console service. + Virt-handler component requires hostNetwork and console service should be accessible via hostPort. + hostPID: allowedValue: true metadata: description: Virt-handler component needs access to host PID. + # Allow mounting host directories. volumes: types: @@ -71,11 +86,16 @@ spec: metadata: description: | Allow read-write access to /var/lib/kubelet/pods hostPath volume. - - path: /var/lib/kubevirt-node-labeller + - path: /var/run/cilium + readOnly: false + metadata: + description: | + Allow read-write access to /var/run/cilium hostPath volume. + - path: /var/run/d8-virtualization/node-labeller readOnly: false metadata: description: | - Allow read-write access to /var/lib/kubevirt-node-labeller hostPath volume. + Allow read-write access to /var/run/d8-virtualization/node-labeller hostPath volume. - path: /var/run/kubevirt readOnly: false metadata: @@ -92,4 +112,62 @@ spec: description: | Allow read-write access to /var/run/kubevirt-private hostPath volume. +--- +# SecurityPolicyException for node-labeller (it is named as virt-launcher container). +apiVersion: deckhouse.io/v1alpha1 +kind: SecurityPolicyException +metadata: + name: virt-handler-ds-virt-launcher-container + namespace: d8-{{ .Chart.Name }} + {{- include "helm_lib_module_labels" (list . (dict "app" .Chart.Name)) | nindent 2 }} +spec: + securityContext: + runAsUser: + allowedValues: + - 0 + metadata: + description: | + Allow virt-handler container to run as root user (UID 0). + Virt-handler component requires root privileges to properly communicate with the KVM subsystem. + + runAsNonRoot: + allowedValue: false + metadata: + description: | + Allow containers to run as root user (non-root disabled). + Virt-handler component requires root privileges to access kernel-level resources and interact with system calls. + + allowPrivilegeEscalation: + allowedValue: true + metadata: + description: | + Allow privilege escalation for the virt-handler container. + Virt-handler component requires privilege escalation to access kernel-level system calls. + + privileged: + allowedValue: true + metadata: + description: | + Allow privileged mode for the virt-handler. + Virt-handler component requires privileged access to interact with the KVM subsystem and Linux kernel. + + + # Allow mounting host directories. + volumes: + types: + allowedValues: + - hostPath + metadata: + description: | + Allow hostPath volume type for node-labeller. + node-labeller container of the virt-handler DaemonSet requires access to host filesystem to share virsh capabilities with the main virt-handler container. + + hostPath: + allowedValues: + - path: /var/lib/d8-virtualization/node-labeller + readOnly: false + metadata: + description: | + Allow read-write access to /var/run/d8-virtualization/node-labeller hostPath volume. + {{- end }} diff --git a/templates/namespace.yaml b/templates/namespace.yaml index dc19617aa3..9022b71f74 100644 --- a/templates/namespace.yaml +++ b/templates/namespace.yaml @@ -4,6 +4,8 @@ d8-{{ .Chart.Name }} {{- define "namespace.labels" }} prometheus.deckhouse.io/rules-watcher-enabled: "true" +security.deckhouse.io/pod-policy: "restricted" +security.deckhouse.io/enable-security-policy-check: "true" {{- end }} {{/* add these labels back to namespace.labels when fix templates for privileged Pods */}} diff --git a/templates/virtualization-dra/daemonset.yaml b/templates/virtualization-dra/daemonset.yaml index 871c2845f8..1f64cc814d 100644 --- a/templates/virtualization-dra/daemonset.yaml +++ b/templates/virtualization-dra/daemonset.yaml @@ -11,7 +11,7 @@ memory: 25Mi {{- end }} -{{- if eq (include "virtualization-dra.isEnabled" .) "true" }} +{{/* - if eq (include "virtualization-dra.isEnabled" .) "true" */}} {{- if (.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }} --- @@ -63,6 +63,13 @@ spec: Allow containers to run as root user (non-root disabled). Virtualization DRA component requires root privileges to access kernel-level resources and interact with system calls. + allowPrivilegeEscalation: + allowedValue: true + metadata: + description: | + Allow privilege escalation for the virt-handler container. + Virt-handler component requires privilege escalation to access kernel-level system calls. + privileged: allowedValue: true metadata: @@ -70,6 +77,24 @@ spec: Allow privileged mode for the virtualization-dra DaemonSet. Virtualization DRA component requires privileged access to interact with the KVM subsystem and Linux kernel. + capabilities: + allowedValues: + add: + - SYS_MODULE + # TODO: a simple workaround before specifying proper drop values for all containers. + drop: [] + metadata: + description: | + Allow Virtualization DRA component to have access to load eBPF and manage host route. + + seccompProfile: + # TODO: a simple workaround before specifying proper seccompProfiles for all containers. + allowedValues: + - undefined + metadata: + description: | + Allow empty seccompProfile until specified. + network: hostNetwork: allowedValue: true @@ -238,4 +263,4 @@ spec: - name: var-run hostPath: path: /var/run -{{- end }} +{{/*- end */}} diff --git a/templates/vm-route-forge/daemonset.yaml b/templates/vm-route-forge/daemonset.yaml index 62b08cbc13..78e469e0fb 100644 --- a/templates/vm-route-forge/daemonset.yaml +++ b/templates/vm-route-forge/daemonset.yaml @@ -59,6 +59,13 @@ spec: Allow containers to run as root user (non-root disabled). VM route forge component requires root privileges to interact with the host network layer. + allowPrivilegeEscalation: + allowedValue: true + metadata: + description: | + Allow privilege escalation. + VM route forge component requires privileges escalation to interact with the host network layer. + privileged: allowedValue: true metadata: @@ -66,6 +73,17 @@ spec: Allow privileged mode. VM route forge component requires privileged access to interact with the host network layer. + capabilities: + allowedValues: + add: + - NET_ADMIN + drop: + - ALL + metadata: + description: | + Allow NET_ADMIN capability. + VM route forge component requires NET_ADMIN capability to interact with the host network layer. + network: hostNetwork: allowedValue: true @@ -73,6 +91,19 @@ spec: description: | VM route forge component needs hostNetwork to manipulate node route tables to allow traffic between virtual machines. + hostPorts: + - port: 4105 + protocol: TCP + metadata: + description: | + Allow hostPort 4105 for health check service. + VM route forge component requires hostNetwork and health check service should be accessible via hostPort. + - port: 4106 + protocol: TCP + metadata: + description: | + Allow hostPort 4106 for pprof service. + VM route forge component requires hostNetwork and pprof service should be accessible via hostPort. {{- end }} --- @@ -108,7 +139,7 @@ spec: {{- range .Values.virtualization.internal.moduleConfig.virtualMachineCIDRs }} - --cidr={{ . }} {{- end }} - {{- include "helm_lib_module_container_security_context_privileged_read_only_root_filesystem" . | nindent 10 }} + {{- include "helm_lib_module_container_security_context_pss_restricted_flexible" (dict "ro" true "caps" (list "NET_ADMIN") "uid" 0 "runAsNonRoot" false) | nindent 10 }} image: {{ include "helm_lib_module_image" (list . "vmRouteForge") }} imagePullPolicy: "IfNotPresent" env: @@ -159,5 +190,4 @@ spec: periodSeconds: 1 failureThreshold: 3 {{- end }} - {{- end }}