diff --git a/.gitignore b/.gitignore index 212119c..679ef7b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,4 @@ -*-local.yaml \ No newline at end of file +*-local.yaml +*-locale.yml +*-locale.yaml +*-local.yml \ No newline at end of file diff --git a/README.md b/README.md index 1f60a16..6519227 100644 --- a/README.md +++ b/README.md @@ -62,12 +62,13 @@ helm upgrade gdscan gdscan/gdscan -f values.yaml # Options -| Name | Description | Value | -| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `service.type` | service type | `ClusterIP` | -| `service.ports.api` | API service port | `8080` | -| `service.annotations` | service annotations | `{}` | -| `replicaCount` | number of pods | `1` | -| `autoscaling.enabled` | enable auto scaling | `false` | -| `autoscaling.maxReplicas` | maximum number of replicas | `20` | -| `autoscaling.metrics` | custom metrics for auto scaling | | +| Name | Description | Value | +| ------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `service.type` | service type | `ClusterIP` | +| `service.ports.api` | API service port | `8080` | +| `service.annotations` | service annotations | `{}` | +| `replicaCount` | number of pods | `1` | +| `autoscaling.enabled` | enable auto scaling | `false` | +| `autoscaling.maxReplicas` | maximum number of replicas | `20` | +| `autoscaling.metrics` | custom metrics for auto scaling | | +| `terminationGracePeriodSeconds` | max time in seconds for scans to complete | `30` | diff --git a/charts/gdscan/Chart.yaml b/charts/gdscan/Chart.yaml index c2f22ff..6251ffc 100644 --- a/charts/gdscan/Chart.yaml +++ b/charts/gdscan/Chart.yaml @@ -5,4 +5,4 @@ maintainers: - name: G DATA CyberDefense AG email: oem@gdata.de type: application -version: 1.6.0 +version: 1.7.0 diff --git a/charts/gdscan/templates/_helpers.tpl b/charts/gdscan/templates/_helpers.tpl index cf0792f..4b0b57a 100644 --- a/charts/gdscan/templates/_helpers.tpl +++ b/charts/gdscan/templates/_helpers.tpl @@ -109,3 +109,12 @@ app.kubernetes.io/namespace: {{ .Release.Namespace }} {{- end -}} {{- end -}} + +{{- define "common.secondsToHHMMSS" -}} +{{- $totalSeconds := . -}} +{{- $hours := div $totalSeconds 3600 | printf "%02d" -}} +{{- $totalSeconds = mod $totalSeconds 3600 -}} +{{- $minutes := div $totalSeconds 60 | printf "%02d" -}} +{{- $seconds := mod $totalSeconds 60 | printf "%02d" -}} +{{- printf "%s:%s:%s" $hours $minutes $seconds -}} +{{- end -}} diff --git a/charts/gdscan/templates/deployment.yaml b/charts/gdscan/templates/deployment.yaml index 23afd33..a224e6e 100644 --- a/charts/gdscan/templates/deployment.yaml +++ b/charts/gdscan/templates/deployment.yaml @@ -39,10 +39,8 @@ spec: emptyDir: {} - name: scan-socket emptyDir: {} - {{- if .Values.client.containerSecurityContext.enabled }} - name: client-tmp emptyDir: {} - {{- end }} - name: server-var-log emptyDir: {} {{- include "gdscan.imagePullSecrets" . | nindent 6 }} @@ -53,6 +51,9 @@ spec: value: "{{ now | unixEpoch }}" image: '{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}' imagePullPolicy: {{ .Values.server.image.pullPolicy }} + {{- if .Values.server.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.server.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} volumeMounts: - name: server-tmp mountPath: /tmp @@ -75,10 +76,8 @@ spec: mountPath: /tmp/scan - name: scan-socket mountPath: /var/share/run - {{- if .Values.client.containerSecurityContext.enabled }} - name: client-tmp mountPath: /tmp - {{- end }} resources: {{- toYaml .Values.resources.client | nindent 12 }} ports: @@ -96,8 +95,11 @@ spec: path: /health port: api initialDelaySeconds: 15 - periodSeconds: 5 - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + periodSeconds: 5 + env: + - name: HostOptions__ShutdownTimeout + value: {{ include "common.secondsToHHMMSS" .Values.terminationGracePeriodSeconds | quote }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -110,4 +112,6 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} \ No newline at end of file + securityContext: + fsGroup: 1654 +{{- end }} diff --git a/charts/gdscan/templates/stateful-set.yaml b/charts/gdscan/templates/stateful-set.yaml index d9c68bc..5031179 100644 --- a/charts/gdscan/templates/stateful-set.yaml +++ b/charts/gdscan/templates/stateful-set.yaml @@ -37,14 +37,10 @@ spec: emptyDir: {} - name: scan-socket emptyDir: {} - {{- if .Values.client.containerSecurityContext.enabled }} - name: client-tmp emptyDir: {} - {{- end }} - {{- if .Values.server.containerSecurityContext.enabled }} - name: server-var-log emptyDir: {} - {{- end }} containers: - name: {{ .Values.server.name }} env: @@ -62,10 +58,8 @@ spec: mountPath: /tmp/scan - name: scan-socket mountPath: /var/share/run - {{- if .Values.server.containerSecurityContext.enabled }} - name: server-var-log mountPath: /var/log - {{- end }} resources: {{- toYaml .Values.resources.server | nindent 12 }} - name: {{ .Values.client.name }} @@ -79,10 +73,8 @@ spec: mountPath: /tmp/scan - name: scan-socket mountPath: /var/share/run - {{- if .Values.client.containerSecurityContext.enabled }} - name: client-tmp mountPath: /tmp - {{- end }} resources: {{- toYaml .Values.resources.client | nindent 12 }} ports: @@ -101,7 +93,10 @@ spec: port: api initialDelaySeconds: 15 periodSeconds: 5 - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + env: + - name: HostOptions__ShutdownTimeout + value: {{ include "common.secondsToHHMMSS" .Values.terminationGracePeriodSeconds | quote }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -114,4 +109,6 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + securityContext: + fsGroup: 1654 {{- end }} \ No newline at end of file diff --git a/charts/gdscan/values.yaml b/charts/gdscan/values.yaml index 11ac69b..5f8fc93 100644 --- a/charts/gdscan/values.yaml +++ b/charts/gdscan/values.yaml @@ -5,17 +5,33 @@ server: image: repository: ghcr.io/gdatasoftwareag/vaas/scanserver pullPolicy: Always - tag: 1.9.6 + tag: 1 containerSecurityContext: - enabled: false + enabled: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault + runAsGroup: 1001 + runAsUser: 1001 client: name: client image: repository: ghcr.io/gdatasoftwareag/vaas/scanclient pullPolicy: Always - tag: 1.9.6 + tag: 1 containerSecurityContext: - enabled: false + enabled: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault terminationGracePeriodSeconds: 30 imagePullSecrets: @@ -91,9 +107,16 @@ autoUpdate: image: registry: docker.io repository: bitnami/kubectl - tag: latest + tag: 1.29 containerSecurityContext: - enabled: false + enabled: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault enabled: true # every hour schedule: "0 * * * *"