From 36efd3c753760c5a4844ded74e261cf58a3a7ad0 Mon Sep 17 00:00:00 2001 From: Philip Stadermann Date: Fri, 2 Feb 2024 12:01:30 +0100 Subject: [PATCH 1/7] Use major version (1) as tag --- charts/gdscan/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/gdscan/values.yaml b/charts/gdscan/values.yaml index 7e109a0..3951bcb 100644 --- a/charts/gdscan/values.yaml +++ b/charts/gdscan/values.yaml @@ -5,7 +5,7 @@ server: image: repository: ghcr.io/gdatasoftwareag/vaas/scanserver pullPolicy: Always - tag: 1.9.6 + tag: 1 containerSecurityContext: enabled: false client: @@ -13,7 +13,7 @@ client: image: repository: ghcr.io/gdatasoftwareag/vaas/scanclient pullPolicy: Always - tag: 1.9.6 + tag: 1 containerSecurityContext: enabled: false terminationGracePeriodSeconds: 30 From 43fdb2312d73be439fc08431bfd64abd0dcc2ddc Mon Sep 17 00:00:00 2001 From: Philip Stadermann Date: Fri, 2 Feb 2024 12:06:13 +0100 Subject: [PATCH 2/7] Release version 1.5.1 --- charts/gdscan/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gdscan/Chart.yaml b/charts/gdscan/Chart.yaml index c09ab20..2842130 100644 --- a/charts/gdscan/Chart.yaml +++ b/charts/gdscan/Chart.yaml @@ -5,4 +5,4 @@ maintainers: - name: G DATA CyberDefense AG email: oem@gdata.de type: application -version: 1.5.0 +version: 1.5.1 From 139a93ae64c4aaf1e763580654e706fa886639c4 Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Fri, 9 Feb 2024 15:46:59 +0100 Subject: [PATCH 3/7] Pods are not compatible with PodSecurityAdmission level "restricted" #36 Pod Security context is missing in Server Container #39 Allow PodSecurityAdmission level "restricted" --- .gitignore | 5 +++- charts/gdscan/templates/deployment.yaml | 15 ++++++----- charts/gdscan/templates/stateful-set.yaml | 12 +++------ charts/gdscan/values.yaml | 31 ++++++++++++++++++++--- 4 files changed, 42 insertions(+), 21 deletions(-) diff --git a/.gitignore b/.gitignore index 212119c..679ef7b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,4 @@ -*-local.yaml \ No newline at end of file +*-local.yaml +*-locale.yml +*-locale.yaml +*-local.yml \ No newline at end of file diff --git a/charts/gdscan/templates/deployment.yaml b/charts/gdscan/templates/deployment.yaml index 23afd33..3b3ecd0 100644 --- a/charts/gdscan/templates/deployment.yaml +++ b/charts/gdscan/templates/deployment.yaml @@ -39,10 +39,8 @@ spec: emptyDir: {} - name: scan-socket emptyDir: {} - {{- if .Values.client.containerSecurityContext.enabled }} - name: client-tmp emptyDir: {} - {{- end }} - name: server-var-log emptyDir: {} {{- include "gdscan.imagePullSecrets" . | nindent 6 }} @@ -53,6 +51,9 @@ spec: value: "{{ now | unixEpoch }}" image: '{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}' imagePullPolicy: {{ .Values.server.image.pullPolicy }} + {{- if .Values.server.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.server.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} volumeMounts: - name: server-tmp mountPath: /tmp @@ -75,10 +76,8 @@ spec: mountPath: /tmp/scan - name: scan-socket mountPath: /var/share/run - {{- if .Values.client.containerSecurityContext.enabled }} - name: client-tmp mountPath: /tmp - {{- end }} resources: {{- toYaml .Values.resources.client | nindent 12 }} ports: @@ -96,8 +95,8 @@ spec: path: /health port: api initialDelaySeconds: 15 - periodSeconds: 5 - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + periodSeconds: 5 + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -110,4 +109,6 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} \ No newline at end of file + securityContext: + fsGroup: 1654 +{{- end }} diff --git a/charts/gdscan/templates/stateful-set.yaml b/charts/gdscan/templates/stateful-set.yaml index d9c68bc..acbbc04 100644 --- a/charts/gdscan/templates/stateful-set.yaml +++ b/charts/gdscan/templates/stateful-set.yaml @@ -37,14 +37,10 @@ spec: emptyDir: {} - name: scan-socket emptyDir: {} - {{- if .Values.client.containerSecurityContext.enabled }} - name: client-tmp emptyDir: {} - {{- end }} - {{- if .Values.server.containerSecurityContext.enabled }} - name: server-var-log emptyDir: {} - {{- end }} containers: - name: {{ .Values.server.name }} env: @@ -62,10 +58,8 @@ spec: mountPath: /tmp/scan - name: scan-socket mountPath: /var/share/run - {{- if .Values.server.containerSecurityContext.enabled }} - name: server-var-log mountPath: /var/log - {{- end }} resources: {{- toYaml .Values.resources.server | nindent 12 }} - name: {{ .Values.client.name }} @@ -79,10 +73,8 @@ spec: mountPath: /tmp/scan - name: scan-socket mountPath: /var/share/run - {{- if .Values.client.containerSecurityContext.enabled }} - name: client-tmp mountPath: /tmp - {{- end }} resources: {{- toYaml .Values.resources.client | nindent 12 }} ports: @@ -101,7 +93,7 @@ spec: port: api initialDelaySeconds: 15 periodSeconds: 5 - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -114,4 +106,6 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + securityContext: + fsGroup: 1654 {{- end }} \ No newline at end of file diff --git a/charts/gdscan/values.yaml b/charts/gdscan/values.yaml index 3951bcb..9e9d35d 100644 --- a/charts/gdscan/values.yaml +++ b/charts/gdscan/values.yaml @@ -7,7 +7,16 @@ server: pullPolicy: Always tag: 1 containerSecurityContext: - enabled: false + enabled: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault + runAsGroup: 1001 + runAsUser: 1001 client: name: client image: @@ -15,7 +24,14 @@ client: pullPolicy: Always tag: 1 containerSecurityContext: - enabled: false + enabled: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault terminationGracePeriodSeconds: 30 imagePullSecrets: @@ -88,9 +104,16 @@ autoUpdate: image: registry: docker.io repository: bitnami/kubectl - tag: latest + tag: 1.29 containerSecurityContext: - enabled: false + enabled: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault enabled: true # every hour schedule: "0 * * * *" From 2872c211866397e69a9d9eef103d264ea3f15648 Mon Sep 17 00:00:00 2001 From: Kevin Heise Date: Fri, 9 Feb 2024 15:58:12 +0100 Subject: [PATCH 4/7] increase chart version --- charts/gdscan/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gdscan/Chart.yaml b/charts/gdscan/Chart.yaml index 2842130..c2f22ff 100644 --- a/charts/gdscan/Chart.yaml +++ b/charts/gdscan/Chart.yaml @@ -5,4 +5,4 @@ maintainers: - name: G DATA CyberDefense AG email: oem@gdata.de type: application -version: 1.5.1 +version: 1.6.0 From eee86ebbf90f1c1011aa237512640826f1d326ca Mon Sep 17 00:00:00 2001 From: Philip Stadermann Date: Mon, 26 Feb 2024 10:53:48 +0100 Subject: [PATCH 5/7] Grace peroid for scan node updates is configurable #42 Set HostOptions.ShutdownTimeout --- charts/gdscan/templates/_helpers.tpl | 9 +++++++++ charts/gdscan/templates/deployment.yaml | 3 +++ charts/gdscan/templates/stateful-set.yaml | 3 +++ 3 files changed, 15 insertions(+) diff --git a/charts/gdscan/templates/_helpers.tpl b/charts/gdscan/templates/_helpers.tpl index cf0792f..4b0b57a 100644 --- a/charts/gdscan/templates/_helpers.tpl +++ b/charts/gdscan/templates/_helpers.tpl @@ -109,3 +109,12 @@ app.kubernetes.io/namespace: {{ .Release.Namespace }} {{- end -}} {{- end -}} + +{{- define "common.secondsToHHMMSS" -}} +{{- $totalSeconds := . -}} +{{- $hours := div $totalSeconds 3600 | printf "%02d" -}} +{{- $totalSeconds = mod $totalSeconds 3600 -}} +{{- $minutes := div $totalSeconds 60 | printf "%02d" -}} +{{- $seconds := mod $totalSeconds 60 | printf "%02d" -}} +{{- printf "%s:%s:%s" $hours $minutes $seconds -}} +{{- end -}} diff --git a/charts/gdscan/templates/deployment.yaml b/charts/gdscan/templates/deployment.yaml index 3b3ecd0..a224e6e 100644 --- a/charts/gdscan/templates/deployment.yaml +++ b/charts/gdscan/templates/deployment.yaml @@ -96,6 +96,9 @@ spec: port: api initialDelaySeconds: 15 periodSeconds: 5 + env: + - name: HostOptions__ShutdownTimeout + value: {{ include "common.secondsToHHMMSS" .Values.terminationGracePeriodSeconds | quote }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- with .Values.nodeSelector }} nodeSelector: diff --git a/charts/gdscan/templates/stateful-set.yaml b/charts/gdscan/templates/stateful-set.yaml index acbbc04..5031179 100644 --- a/charts/gdscan/templates/stateful-set.yaml +++ b/charts/gdscan/templates/stateful-set.yaml @@ -93,6 +93,9 @@ spec: port: api initialDelaySeconds: 15 periodSeconds: 5 + env: + - name: HostOptions__ShutdownTimeout + value: {{ include "common.secondsToHHMMSS" .Values.terminationGracePeriodSeconds | quote }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- with .Values.nodeSelector }} nodeSelector: From 7a9cacc2b5c10805e5f30cbdd28a778d27371b97 Mon Sep 17 00:00:00 2001 From: Philip Stadermann Date: Mon, 26 Feb 2024 11:20:05 +0100 Subject: [PATCH 6/7] Grace peroid for scan node updates is configurable #42 Version 1.7.0 --- charts/gdscan/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gdscan/Chart.yaml b/charts/gdscan/Chart.yaml index c2f22ff..6251ffc 100644 --- a/charts/gdscan/Chart.yaml +++ b/charts/gdscan/Chart.yaml @@ -5,4 +5,4 @@ maintainers: - name: G DATA CyberDefense AG email: oem@gdata.de type: application -version: 1.6.0 +version: 1.7.0 From b0c37c19b736e72473b05ea6607ab55ad8cceab9 Mon Sep 17 00:00:00 2001 From: Philip Stadermann Date: Tue, 27 Feb 2024 09:14:05 +0100 Subject: [PATCH 7/7] Grace peroid for scan node updates is configurable #42 Document terminationGracePeriodSeconds --- README.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 1f60a16..6519227 100644 --- a/README.md +++ b/README.md @@ -62,12 +62,13 @@ helm upgrade gdscan gdscan/gdscan -f values.yaml # Options -| Name | Description | Value | -| ---------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `service.type` | service type | `ClusterIP` | -| `service.ports.api` | API service port | `8080` | -| `service.annotations` | service annotations | `{}` | -| `replicaCount` | number of pods | `1` | -| `autoscaling.enabled` | enable auto scaling | `false` | -| `autoscaling.maxReplicas` | maximum number of replicas | `20` | -| `autoscaling.metrics` | custom metrics for auto scaling | | +| Name | Description | Value | +| ------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `service.type` | service type | `ClusterIP` | +| `service.ports.api` | API service port | `8080` | +| `service.annotations` | service annotations | `{}` | +| `replicaCount` | number of pods | `1` | +| `autoscaling.enabled` | enable auto scaling | `false` | +| `autoscaling.maxReplicas` | maximum number of replicas | `20` | +| `autoscaling.metrics` | custom metrics for auto scaling | | +| `terminationGracePeriodSeconds` | max time in seconds for scans to complete | `30` |