Skip to content

Commit

Permalink
Feat(#199): hardening cleaner, making desktop a little better
Browse files Browse the repository at this point in the history
  • Loading branch information
@commjoen
commjoen committed Mar 8, 2023
1 parent 6891d26 commit 23db884
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 17 deletions.
15 changes: 12 additions & 3 deletions helm/wrongsecrets-ctf-party/templates/cleanup/cron-job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,22 @@ spec:
helm.sh/chart: {{ include "wrongsecrets-ctf-party.chart" . }}
spec:
serviceAccountName: 'wrongsecrets-cleaner'
{{- with .Values.wrongsecretsCleanup.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
containers:
- image: '{{ .Values.wrongsecretsCleanup.repository }}:{{ .Values.wrongsecretsCleanup.tag | default (printf "v%s" .Chart.Version) }}'
imagePullPolicy: {{ .Values.imagePullPolicy | quote }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
name: 'cleanup-job'
env:
- name: NAMESPACE
Expand Down
10 changes: 1 addition & 9 deletions helm/wrongsecrets-ctf-party/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,7 @@ virtualdesktop:
runtimeClassName: {}
affinity: {}
# -- Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)

envFrom: []
tolerations: []

Expand All @@ -242,15 +243,6 @@ wrongsecretsCleanup:
memory: 256Mi
limits:
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# -- Optional Configure kubernetes scheduling affinity for the wrongsecretsCleanup Job(see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
affinity: {}
# -- Optional Configure kubernetes toleration for the wrongsecretsCleanup Job (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
Expand Down
20 changes: 15 additions & 5 deletions wrongsecrets-balancer/src/kubernetes.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ const createNameSpaceForTeam = async (team) => {
labels: {
name: `t-${team}`,
'pod-security.kubernetes.io/audit': 'restricted',
'pod-security.kubernetes.io/enforce': 'baseline',
// 'pod-security.kubernetes.io/enforce': 'baseline',
},
};
k8sCoreApi.createNamespace(namedNameSpace).catch((error) => {
Expand Down Expand Up @@ -1097,15 +1097,25 @@ const createDesktopDeploymentForTeam = async ({ team, passcodeHash }) => {
'ephemeral-storage': '8Gi',
},
},
// resources: get('virtualdesktop.resources'),
// // resources: get('virtualdesktop.resources'),
securityContext: {
allowPrivilegeEscalation: true,
readOnlyRootFilesystem: false,
runAsNonRoot: false,
capabilities: { drop: ['ALL'], add:['CAP_SETGID','CAP_SETUID','CAP_CHOWN'] },
seccompProfile: { type: 'Unconfined' },
// capabilities: { drop: ['ALL'], add:['CAP_SETGID','CAP_SETUID','CAP_CHOWN'] },
seccompProfile: { type: 'RuntimeDefault' },
},
env: [...get('virtualdesktop.env', [])],
env: [
{
name: 'PUID',
value: '1000',
},
{
name: 'PGID',
value: '1000',
},
...get('virtualdesktop.env', [])
],
envFrom: get('virtualdesktop.envFrom'),
ports: [
{
Expand Down

0 comments on commit 23db884

Please sign in to comment.