fix: typos in podSecurityContext/containerSecurityContext

evgkrsk · Apr 14, 2022 · b3ffe17 · b3ffe17
1 parent 83a911d
commit b3ffe17
Show file tree

Hide file tree

Showing 10 changed files with 102 additions and 9 deletions.
diff --git a/charts/universal-chart/CHANGELOG.md b/charts/universal-chart/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Changelog
 
+## 3.0.2 - April 14, 2022
+
+* fix: typos in podSecurityContext/containerSecurityContext
+
+## 3.0.1 - April 14, 2022
+
+* technical release without changes
+
 ## 3.0.0 - April 14, 2022
 
 * `jobs`, `cronJobs` and `servicemonitors` now is maps, where key is a name

diff --git a/charts/universal-chart/Chart.yaml b/charts/universal-chart/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: Nixys universal Helm chart for deploy your apps to Kubernetes
 name: universal-chart
-version: 3.0.1
+version: 3.0.2
 maintainers:
 - name: Roman Andreev
   email: [email protected]

diff --git a/charts/universal-chart/results/cronJobs.yaml b/charts/universal-chart/results/cronJobs.yaml
@@ -108,6 +108,28 @@ spec:
                   - "default"
                   topologyKey: kubernetes.io/hostname
                 weight: 1
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - AUDIT_WRITE
+              - CHOWN
+              - DAC_OVERRIDE
+              - FOWNER
+              - FSETID
+              - KILL
+              - MKNOD
+              - NET_ADMIN
+              - NET_BIND_SERVICE
+              - NET_RAW
+              - SETFCAP
+              - SETGID
+              - SETPCAP
+              - SETUID
+              - SYS_CHROOT
+            readOnlyRootFilesystem: false
+            runAsNonRoot: true
+            runAsUser: 1000
 
           containers:
           - name: check22

diff --git a/charts/universal-chart/results/web-app.values.yml b/charts/universal-chart/results/web-app.values.yml
@@ -66,7 +66,29 @@ spec:
       containers:
       - name: test
         image: registry.org/my-app:latest
-        imagePullPolicy: IfNotPresent        
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - AUDIT_WRITE
+            - CHOWN
+            - DAC_OVERRIDE
+            - FOWNER
+            - FSETID
+            - KILL
+            - MKNOD
+            - NET_ADMIN
+            - NET_BIND_SERVICE
+            - NET_RAW
+            - SETFCAP
+            - SETGID
+            - SETPCAP
+            - SETUID
+            - SYS_CHROOT
+          readOnlyRootFilesystem: false
+          runAsNonRoot: true
+          runAsUser: 1000        
         env:
         - name: MY_ENV
           value: "1234"        

diff --git a/charts/universal-chart/samples/cronJobs.yaml b/charts/universal-chart/samples/cronJobs.yaml
@@ -8,3 +8,25 @@ cronJobs:
   check2:
     name: check22
     command: "just check2"
+    podSecurityContext:
+      capabilities:
+        drop: # ref: https://raw.githubusercontent.com/FairwindsOps/polaris/master/checks/insecureCapabilities.yaml
+        - AUDIT_WRITE
+        - CHOWN
+        - DAC_OVERRIDE
+        - FOWNER
+        - FSETID
+        - KILL
+        - MKNOD
+        - NET_ADMIN
+        - NET_BIND_SERVICE
+        - NET_RAW
+        - SETFCAP
+        - SETGID
+        - SETPCAP
+        - SETUID
+        - SYS_CHROOT
+      runAsNonRoot: true
+      runAsUser: 1000
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: false
diff --git a/charts/universal-chart/samples/web-app.values.yml b/charts/universal-chart/samples/web-app.values.yml
@@ -81,6 +81,28 @@ deployments:
         mountPath: /etc/nginx/nginx.conf
         subPath: nginx.conf
       name: test
+      containerSecurityContext:
+        capabilities:
+          drop: # ref: https://raw.githubusercontent.com/FairwindsOps/polaris/master/checks/insecureCapabilities.yaml
+          - AUDIT_WRITE
+          - CHOWN
+          - DAC_OVERRIDE
+          - FOWNER
+          - FSETID
+          - KILL
+          - MKNOD
+          - NET_ADMIN
+          - NET_BIND_SERVICE
+          - NET_RAW
+          - SETFCAP
+          - SETGID
+          - SETPCAP
+          - SETUID
+          - SYS_CHROOT
+        runAsNonRoot: true
+        runAsUser: 1000
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: false
     volumes:
     - name: secret-files
       type: secret

diff --git a/charts/universal-chart/templates/cronjob.yml b/charts/universal-chart/templates/cronjob.yml
@@ -115,7 +115,7 @@ spec:
             podAntiAffinity: {{- include "helpers.affinities.pods" (dict "type" $.Values.podAntiAffinityPreset "context" $) | nindent 14 }}
           {{- end }}
           {{- with .podSecurityContext }}
-          securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) nindent 12 }}
+          securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 12 }}
           {{- end }}
           {{- if .dnsPolicy }}
           dnsPolicy: {{ .dnsPolicy }}

diff --git a/charts/universal-chart/templates/deployment.yml b/charts/universal-chart/templates/deployment.yml
@@ -52,9 +52,6 @@ spec:
         podAffinity: {{- include "helpers.affinities.pods" (dict "type" $.Values.podAffinityPreset "context" $) | nindent 10 }}
         podAntiAffinity: {{- include "helpers.affinities.pods" (dict "type" $.Values.podAntiAffinityPreset "context" $) | nindent 10 }}
       {{- end }}
-      {{- with .podSecurityContext }}
-      securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) nindent 6 }}
-      {{- end }}
       {{- if .dnsPolicy }}
       dnsPolicy: {{ .dnsPolicy }}
       {{- else if $.Values.generic.dnsPolicy }}
@@ -67,7 +64,7 @@ spec:
       tolerations: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 8 }}
       {{- end }}
       {{- with .podSecurityContext }}
-      securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) nindent 8 }}
+      securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 8 }}
       {{- end }}
       {{ if or $.Values.imagePullSecrets .imagePullSecrets }}
       imagePullSecrets:

diff --git a/charts/universal-chart/templates/helm-hooks.yml b/charts/universal-chart/templates/helm-hooks.yml
@@ -74,7 +74,7 @@ spec:
         podAntiAffinity: {{- include "helpers.affinities.pods" (dict "type" $.Values.podAntiAffinityPreset "context" $) | nindent 10 }}
       {{- end }}
       {{- with .podSecurityContext }}
-      securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) nindent 6 }}
+      securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 6 }}
       {{- end }}
       {{- if .dnsPolicy }}
       dnsPolicy: {{ .dnsPolicy }}

diff --git a/charts/universal-chart/templates/job.yml b/charts/universal-chart/templates/job.yml
@@ -92,7 +92,7 @@ spec:
         podAntiAffinity: {{- include "helpers.affinities.pods" (dict "type" $.Values.podAntiAffinityPreset "context" $) | nindent 10 }}
       {{- end }}
       {{- with .podSecurityContext }}
-      securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) nindent 6 }}
+      securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 6 }}
       {{- end }}
       {{- if .dnsPolicy }}
       dnsPolicy: {{ .dnsPolicy }}