diff --git a/charts/universal-chart/CHANGELOG.md b/charts/universal-chart/CHANGELOG.md index d054e1f..d14b8fe 100644 --- a/charts/universal-chart/CHANGELOG.md +++ b/charts/universal-chart/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## 3.0.2 - April 14, 2022 + +* fix: typos in podSecurityContext/containerSecurityContext + +## 3.0.1 - April 14, 2022 + +* technical release without changes + ## 3.0.0 - April 14, 2022 * `jobs`, `cronJobs` and `servicemonitors` now is maps, where key is a name diff --git a/charts/universal-chart/Chart.yaml b/charts/universal-chart/Chart.yaml index 3112963..1976d12 100644 --- a/charts/universal-chart/Chart.yaml +++ b/charts/universal-chart/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: Nixys universal Helm chart for deploy your apps to Kubernetes name: universal-chart -version: 3.0.1 +version: 3.0.2 maintainers: - name: Roman Andreev email: r.andreev@nixys.ru diff --git a/charts/universal-chart/results/cronJobs.yaml b/charts/universal-chart/results/cronJobs.yaml index f8b907c..8ecc825 100644 --- a/charts/universal-chart/results/cronJobs.yaml +++ b/charts/universal-chart/results/cronJobs.yaml @@ -108,6 +108,28 @@ spec: - "default" topologyKey: kubernetes.io/hostname weight: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_ADMIN + - NET_BIND_SERVICE + - NET_RAW + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 1000 containers: - name: check22 diff --git a/charts/universal-chart/results/web-app.values.yml b/charts/universal-chart/results/web-app.values.yml index f74aeb2..5077576 100644 --- a/charts/universal-chart/results/web-app.values.yml +++ b/charts/universal-chart/results/web-app.values.yml @@ -66,7 +66,29 @@ spec: containers: - name: test image: registry.org/my-app:latest - imagePullPolicy: IfNotPresent + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_ADMIN + - NET_BIND_SERVICE + - NET_RAW + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 1000 env: - name: MY_ENV value: "1234" diff --git a/charts/universal-chart/samples/cronJobs.yaml b/charts/universal-chart/samples/cronJobs.yaml index d2d5697..d3181d6 100644 --- a/charts/universal-chart/samples/cronJobs.yaml +++ b/charts/universal-chart/samples/cronJobs.yaml @@ -8,3 +8,25 @@ cronJobs: check2: name: check22 command: "just check2" + podSecurityContext: + capabilities: + drop: # ref: https://raw.githubusercontent.com/FairwindsOps/polaris/master/checks/insecureCapabilities.yaml + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_ADMIN + - NET_BIND_SERVICE + - NET_RAW + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false diff --git a/charts/universal-chart/samples/web-app.values.yml b/charts/universal-chart/samples/web-app.values.yml index 47189ce..b712780 100644 --- a/charts/universal-chart/samples/web-app.values.yml +++ b/charts/universal-chart/samples/web-app.values.yml @@ -81,6 +81,28 @@ deployments: mountPath: /etc/nginx/nginx.conf subPath: nginx.conf name: test + containerSecurityContext: + capabilities: + drop: # ref: https://raw.githubusercontent.com/FairwindsOps/polaris/master/checks/insecureCapabilities.yaml + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_ADMIN + - NET_BIND_SERVICE + - NET_RAW + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false volumes: - name: secret-files type: secret diff --git a/charts/universal-chart/templates/cronjob.yml b/charts/universal-chart/templates/cronjob.yml index 9163505..7e94491 100644 --- a/charts/universal-chart/templates/cronjob.yml +++ b/charts/universal-chart/templates/cronjob.yml @@ -115,7 +115,7 @@ spec: podAntiAffinity: {{- include "helpers.affinities.pods" (dict "type" $.Values.podAntiAffinityPreset "context" $) | nindent 14 }} {{- end }} {{- with .podSecurityContext }} - securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) nindent 12 }} + securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 12 }} {{- end }} {{- if .dnsPolicy }} dnsPolicy: {{ .dnsPolicy }} diff --git a/charts/universal-chart/templates/deployment.yml b/charts/universal-chart/templates/deployment.yml index c46486d..6195c84 100644 --- a/charts/universal-chart/templates/deployment.yml +++ b/charts/universal-chart/templates/deployment.yml @@ -52,9 +52,6 @@ spec: podAffinity: {{- include "helpers.affinities.pods" (dict "type" $.Values.podAffinityPreset "context" $) | nindent 10 }} podAntiAffinity: {{- include "helpers.affinities.pods" (dict "type" $.Values.podAntiAffinityPreset "context" $) | nindent 10 }} {{- end }} - {{- with .podSecurityContext }} - securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) nindent 6 }} - {{- end }} {{- if .dnsPolicy }} dnsPolicy: {{ .dnsPolicy }} {{- else if $.Values.generic.dnsPolicy }} @@ -67,7 +64,7 @@ spec: tolerations: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} {{- end }} {{- with .podSecurityContext }} - securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) nindent 8 }} + securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} {{- end }} {{ if or $.Values.imagePullSecrets .imagePullSecrets }} imagePullSecrets: diff --git a/charts/universal-chart/templates/helm-hooks.yml b/charts/universal-chart/templates/helm-hooks.yml index a0e0f21..574f505 100644 --- a/charts/universal-chart/templates/helm-hooks.yml +++ b/charts/universal-chart/templates/helm-hooks.yml @@ -74,7 +74,7 @@ spec: podAntiAffinity: {{- include "helpers.affinities.pods" (dict "type" $.Values.podAntiAffinityPreset "context" $) | nindent 10 }} {{- end }} {{- with .podSecurityContext }} - securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) nindent 6 }} + securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 6 }} {{- end }} {{- if .dnsPolicy }} dnsPolicy: {{ .dnsPolicy }} diff --git a/charts/universal-chart/templates/job.yml b/charts/universal-chart/templates/job.yml index ffaf97d..9d534f4 100644 --- a/charts/universal-chart/templates/job.yml +++ b/charts/universal-chart/templates/job.yml @@ -92,7 +92,7 @@ spec: podAntiAffinity: {{- include "helpers.affinities.pods" (dict "type" $.Values.podAntiAffinityPreset "context" $) | nindent 10 }} {{- end }} {{- with .podSecurityContext }} - securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) nindent 6 }} + securityContext: {{- include "helpers.tplvalues.render" (dict "value" . "context" $) | nindent 6 }} {{- end }} {{- if .dnsPolicy }} dnsPolicy: {{ .dnsPolicy }}