Microsoft recommendations to improve security and resilience in the Grafana service

sairinraychoudhury · September 18, 2024, 7:20pm

Hi Everyone,

Needed advice from community members. We have deployed Grafana 11.1.4 using helm in Microsoft Azure Kubernetes Service (AKS). Also during an assessment of our platform towards improved security & resilience angle received below recommendations from Microsoft experts to be implemented.

Least privileged Linux capabilities should be enforced for containers
The root access inside the service container should be avoided.

We are not sure if above actions when implemented will have an impact on Promotheus Grafana since we used default Promotheus Grafana configs which are in helm chart for Promotheus Grafana.

Could anyone from the community please help or guide us on below queries?

Have you tried implementing custom configs apart from default configs provided?
Do you have a view of the impact by any means if we go ahead and implement this?
Are there any other general recommendation towards achieving this?

jangaraj · September 18, 2024, 9:11pm

I would use better helm chart. I would say official one has decent security (when PodSecurityPolicy is enabled):

github.com

grafana/helm-charts/blob/main/charts/grafana/templates/podsecuritypolicy.yaml

{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: {{ include "grafana.fullname" . }}
  labels:
    {{- include "grafana.labels" . | nindent 4 }}
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
    {{- if .Values.rbac.pspUseAppArmor }}
    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
    {{- end }}
spec:
  privileged: false
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
    # Default set from Docker, with DAC_OVERRIDE and CHOWN
      - ALL

This file has been truncated. show original

sairinraychoudhury · September 22, 2024, 7:14pm

Hi @jangaraj,
Thank you for your suggestion. I want to know if do you have a view of the impact by any means if we go ahead and implement this?

Topic		Replies	Views
Problem deploying Grafana loki-stack 7-5 on AKS Installation	0	518	June 30, 2022
Documentation on How to Install Grafana on Kubernetes using Helm Charts Installation kubernetes , helm	3	680	June 9, 2024
Integration of Grafana with Azure Active Directory azure	2	1665	December 11, 2019
Dashboard Provisioning deploying to Kubernetes using Helm charts Dashboards	0	363	November 29, 2023
Grafana instance on AKS with AAD doesn't work Installation azure , azure-ad	0	738	January 27, 2022

Microsoft recommendations to improve security and resilience in the Grafana service

Related topics