Merge pull request #37 from GDATASoftwareAG/pod_security_admission_re…

…stricted Pod security admission restricted
GDATASoftwareAG · Feb 9, 2024 · bdccd23 · bdccd23
2 parents 43fdb23 + 2872c21
commit bdccd23
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 22 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1 +1,4 @@
-*-local.yaml
+*-local.yaml
+*-locale.yml
+*-locale.yaml
+*-local.yml
diff --git a/charts/gdscan/Chart.yaml b/charts/gdscan/Chart.yaml
@@ -5,4 +5,4 @@ maintainers:
   - name: G DATA CyberDefense AG
     email: [email protected]
 type: application
-version: 1.5.1
+version: 1.6.0
diff --git a/charts/gdscan/templates/deployment.yaml b/charts/gdscan/templates/deployment.yaml
@@ -39,10 +39,8 @@ spec:
           emptyDir: {}
         - name: scan-socket
           emptyDir: {}
-          {{- if .Values.client.containerSecurityContext.enabled }}          
         - name: client-tmp
           emptyDir: {}
-          {{- end }}
         - name: server-var-log
           emptyDir: {}
       {{- include "gdscan.imagePullSecrets" . | nindent 6 }}
@@ -53,6 +51,9 @@ spec:
               value: "{{ now | unixEpoch }}"
           image: '{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}'
           imagePullPolicy: {{ .Values.server.image.pullPolicy }}
+          {{- if .Values.server.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.server.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - name: server-tmp
               mountPath: /tmp
@@ -75,10 +76,8 @@ spec:
               mountPath: /tmp/scan
             - name: scan-socket
               mountPath: /var/share/run
-              {{- if .Values.client.containerSecurityContext.enabled }}
             - name: client-tmp
               mountPath: /tmp
-              {{- end }}
           resources:
             {{- toYaml .Values.resources.client | nindent 12 }}
           ports:
@@ -96,8 +95,8 @@ spec:
               path: /health
               port: api
             initialDelaySeconds: 15
-            periodSeconds: 5     
-      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}      
+            periodSeconds: 5
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -110,4 +109,6 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-{{- end }}
+      securityContext:
+        fsGroup: 1654
+{{- end }}
diff --git a/charts/gdscan/templates/stateful-set.yaml b/charts/gdscan/templates/stateful-set.yaml
@@ -37,14 +37,10 @@ spec:
           emptyDir: {}
         - name: scan-socket
           emptyDir: {}
-          {{- if .Values.client.containerSecurityContext.enabled }}
         - name: client-tmp
           emptyDir: {}
-          {{- end }}
-          {{- if .Values.server.containerSecurityContext.enabled }}
         - name: server-var-log
           emptyDir: {}
-          {{- end }}
       containers:
         - name: {{ .Values.server.name }}
           env:
@@ -62,10 +58,8 @@ spec:
               mountPath: /tmp/scan
             - name: scan-socket
               mountPath: /var/share/run
-              {{- if .Values.server.containerSecurityContext.enabled }}
             - name: server-var-log
               mountPath: /var/log
-              {{- end }}
           resources:
             {{- toYaml .Values.resources.server | nindent 12 }}
         - name: {{ .Values.client.name }}
@@ -79,10 +73,8 @@ spec:
               mountPath: /tmp/scan
             - name: scan-socket
               mountPath: /var/share/run
-              {{- if .Values.client.containerSecurityContext.enabled }}
             - name: client-tmp
               mountPath: /tmp
-              {{- end }}
           resources:
             {{- toYaml .Values.resources.client | nindent 12 }}
           ports:
@@ -101,7 +93,7 @@ spec:
               port: api
             initialDelaySeconds: 15
             periodSeconds: 5
-      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}       
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -114,4 +106,6 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      securityContext:
+        fsGroup: 1654
 {{- end }}
diff --git a/charts/gdscan/values.yaml b/charts/gdscan/values.yaml
@@ -7,15 +7,31 @@ server:
     pullPolicy: Always
     tag: 1
   containerSecurityContext:
-    enabled: false
+    enabled: true
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    capabilities:
+      drop: ["ALL"]
+    seccompProfile:
+      type: RuntimeDefault
+    runAsGroup: 1001
+    runAsUser: 1001
 client:
   name: client
   image:
     repository: ghcr.io/gdatasoftwareag/vaas/scanclient
     pullPolicy: Always
     tag: 1
   containerSecurityContext:
-    enabled: false
+    enabled: true
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    capabilities:
+      drop: ["ALL"]
+    seccompProfile:
+      type: RuntimeDefault
 terminationGracePeriodSeconds: 30
 
 imagePullSecrets:
@@ -88,9 +104,16 @@ autoUpdate:
   image:
     registry: docker.io
     repository: bitnami/kubectl
-    tag: latest
+    tag: 1.29
   containerSecurityContext:
-    enabled: false
+    enabled: true
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    capabilities:
+      drop: ["ALL"]
+    seccompProfile:
+      type: RuntimeDefault
   enabled: true
   # every hour
   schedule: "0 * * * *"