Merge pull request #70 from checkr/add-security-context

Update helm chart generation
checkr · May 8, 2024 · b645bff · b645bff
2 parents 9970634 + 363d93a
commit b645bff
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 0 deletions.
diff --git a/.github/workflows/main.js.yml b/.github/workflows/main.js.yml
@@ -11,6 +11,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3
+    - name: Use Node.js
+      uses: actions/setup-node@v3
+      with:
+        node-version: 16.x
     - run: yarn setup
     - run: yarn lint:js
     - run: yarn lint:style

diff --git a/Dockerfile b/Dockerfile
@@ -1,9 +1,13 @@
 FROM node:16.19.0
 
+RUN mkdir -p /usr/src/app
+RUN chown -R 1001:1001 /usr/src/app
+
 WORKDIR /usr/src/app
 
 COPY . .
 RUN yarn install --frozen-lockfile
 RUN yarn heroku-postbuild
 
+USER 1001
 EXPOSE 8000
diff --git a/bin/generate_chart.sh b/bin/generate_chart.sh
@@ -13,6 +13,17 @@ printf "  alias: $CHART_ALIAS\n" >> .gitops/helm/oauth-reference-integration/Cha
 printf "microservice:\n" > .gitops/helm/oauth-reference-integration/sandbox_us.yaml
 printf "  environment: sandbox\n" >> .gitops/helm/oauth-reference-integration/sandbox_us.yaml
 printf "  nameOverride: oauth-reference-integration\n" >> .gitops/helm/oauth-reference-integration/sandbox_us.yaml
+printf "  deploymentDefaults:\n" >> .gitops/helm/oauth-reference-integration/sandbox_us.yaml
+printf "    containerSecurityContext:\n" >> .gitops/helm/oauth-reference-integration/sandbox_us.yaml
+printf "      allowPrivilegeEscalation: false\n" >> .gitops/helm/oauth-reference-integration/sandbox_us.yaml
+printf "      capabilities:\n" >> .gitops/helm/oauth-reference-integration/sandbox_us.yaml
+printf "        drop:\n" >> .gitops/helm/oauth-reference-integration/sandbox_us.yaml
+printf "          - ALL\n" >> .gitops/helm/oauth-reference-integration/sandbox_us.yaml
+printf "    securityContext:\n" >> .gitops/helm/oauth-reference-integration/sandbox_us.yaml
+printf "      runAsUser: 1001\n" >> .gitops/helm/oauth-reference-integration/sandbox_us.yaml
+printf "      runAsGroup: 1001\n" >> .gitops/helm/oauth-reference-integration/sandbox_us.yaml
+printf "      fsGroup: 1001\n" >> .gitops/helm/oauth-reference-integration/sandbox_us.yaml
+printf "      runAsNonRoot: true\n" >> .gitops/helm/oauth-reference-integration/sandbox_us.yaml
 printf "  podDefaults:\n" >> .gitops/helm/oauth-reference-integration/sandbox_us.yaml
 printf "    env:\n" >> .gitops/helm/oauth-reference-integration/sandbox_us.yaml
 printf "      sandbox:\n" >> .gitops/helm/oauth-reference-integration/sandbox_us.yaml