diff --git a/helm/wrongsecrets-ctf-party/templates/cleanup/cron-job.yaml b/helm/wrongsecrets-ctf-party/templates/cleanup/cron-job.yaml index 2863a84e..462946f7 100644 --- a/helm/wrongsecrets-ctf-party/templates/cleanup/cron-job.yaml +++ b/helm/wrongsecrets-ctf-party/templates/cleanup/cron-job.yaml @@ -20,13 +20,22 @@ spec: helm.sh/chart: {{ include "wrongsecrets-ctf-party.chart" . }} spec: serviceAccountName: 'wrongsecrets-cleaner' - {{- with .Values.wrongsecretsCleanup.securityContext }} securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 containers: - image: '{{ .Values.wrongsecretsCleanup.repository }}:{{ .Values.wrongsecretsCleanup.tag | default (printf "v%s" .Chart.Version) }}' imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault name: 'cleanup-job' env: - name: NAMESPACE diff --git a/helm/wrongsecrets-ctf-party/values.yaml b/helm/wrongsecrets-ctf-party/values.yaml index aeed4ce3..fd780cc1 100644 --- a/helm/wrongsecrets-ctf-party/values.yaml +++ b/helm/wrongsecrets-ctf-party/values.yaml @@ -221,6 +221,7 @@ virtualdesktop: runtimeClassName: {} affinity: {} # -- Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) + envFrom: [] tolerations: [] @@ -242,15 +243,6 @@ wrongsecretsCleanup: memory: 256Mi limits: memory: 256Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault # -- Optional Configure kubernetes scheduling affinity for the wrongsecretsCleanup Job(see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) affinity: {} # -- Optional Configure kubernetes toleration for the wrongsecretsCleanup Job (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) diff --git a/wrongsecrets-balancer/src/kubernetes.js b/wrongsecrets-balancer/src/kubernetes.js index cd2c3ca7..2a144ac0 100644 --- a/wrongsecrets-balancer/src/kubernetes.js +++ b/wrongsecrets-balancer/src/kubernetes.js @@ -35,7 +35,7 @@ const createNameSpaceForTeam = async (team) => { labels: { name: `t-${team}`, 'pod-security.kubernetes.io/audit': 'restricted', - 'pod-security.kubernetes.io/enforce': 'baseline', + // 'pod-security.kubernetes.io/enforce': 'baseline', }, }; k8sCoreApi.createNamespace(namedNameSpace).catch((error) => { @@ -1097,15 +1097,25 @@ const createDesktopDeploymentForTeam = async ({ team, passcodeHash }) => { 'ephemeral-storage': '8Gi', }, }, - // resources: get('virtualdesktop.resources'), + // // resources: get('virtualdesktop.resources'), securityContext: { allowPrivilegeEscalation: true, readOnlyRootFilesystem: false, runAsNonRoot: false, - capabilities: { drop: ['ALL'], add:['CAP_SETGID','CAP_SETUID','CAP_CHOWN'] }, - seccompProfile: { type: 'Unconfined' }, + // capabilities: { drop: ['ALL'], add:['CAP_SETGID','CAP_SETUID','CAP_CHOWN'] }, + seccompProfile: { type: 'RuntimeDefault' }, }, - env: [...get('virtualdesktop.env', [])], + env: [ + { + name: 'PUID', + value: '1000', + }, + { + name: 'PGID', + value: '1000', + }, + ...get('virtualdesktop.env', []) + ], envFrom: get('virtualdesktop.envFrom'), ports: [ {