fix: adds security context to init containers; change default to comp…

…liant restricted policy (#37)
c6o · Jun 21, 2024 · 1ffb277 · 1ffb277
1 parent abc788a
commit 1ffb277
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 4 deletions.
diff --git a/charts/codezero/templates/lb/deployment.yaml b/charts/codezero/templates/lb/deployment.yaml
@@ -21,6 +21,8 @@ spec:
         {{- toYaml .Values.lb.podSecurityContext | nindent 8 }}
       initContainers:
         - name: wait-for-cert
+          securityContext:
+            {{- toYaml .Values.lb.securityContext | nindent 12 }}
           image: public.ecr.aws/docker/library/busybox:1.36
           command: ["sh", "-c", "for i in `seq 1 20`; do sleep 0.5; if [ -e /etc/ssl/certs/space/server.pem ]; then exit 0; fi; done; exit 1"]
           volumeMounts:

diff --git a/charts/codezero/templates/orchestrator/deployment.yaml b/charts/codezero/templates/orchestrator/deployment.yaml
@@ -21,6 +21,8 @@ spec:
         {{- toYaml .Values.orchestrator.podSecurityContext | nindent 8 }}
       initContainers:
         - name: wait-for-cert
+          securityContext:
+            {{- toYaml .Values.orchestrator.securityContext | nindent 12 }}
           image: public.ecr.aws/docker/library/busybox:1.36
           command: ["sh", "-c", "for i in `seq 1 20`; do sleep 0.5; if [ -e /etc/ssl/certs/space/ca.pem ]; then exit 0; fi; done; exit 1"]
           volumeMounts:

diff --git a/charts/codezero/templates/system/deployment.yaml b/charts/codezero/templates/system/deployment.yaml
@@ -21,6 +21,8 @@ spec:
         {{- toYaml .Values.system.podSecurityContext | nindent 8 }}
       initContainers:
         - name: space-init
+          securityContext:
+            {{- toYaml .Values.system.securityContext | nindent 12 }}
           image: "c6oio/spaceinit:{{ default .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.system.image.pullPolicy }}
           env:
@@ -44,6 +46,8 @@ spec:
               name: space-cert
               readOnly: true
         - name: wait-for-orchestrator
+          securityContext:
+            {{- toYaml .Values.system.securityContext | nindent 12 }}
           image: public.ecr.aws/docker/library/busybox:1.36
           command: ["sh", "-c", "for i in `seq 1 60`; do if wget --spider --quiet 'http://orchestrator:8900'; then exit 0; fi; sleep 0.5; done; exit 1"]
       containers:

diff --git a/charts/codezero/values.yaml b/charts/codezero/values.yaml
@@ -32,7 +32,16 @@ system:
   podLabels: { }
 
   podSecurityContext: { }
-  securityContext: { }
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    allowPrivilegeEscalation: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
 
   resources: { }
   nodeSelector: { }
@@ -56,7 +65,16 @@ orchestrator:
   podLabels: { }
 
   podSecurityContext: { }
-  securityContext: { }
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    allowPrivilegeEscalation: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
 
   resources: { }
   nodeSelector: { }
@@ -89,8 +107,6 @@ lb:
     capabilities:
       drop:
         - ALL
-      add:
-        - NET_BIND_SERVICE
     seccompProfile:
       type: RuntimeDefault