Merge pull request #77 from GDATASoftwareAG/76-add-section-for-adding…

…-podsecuritycontext 76 add section for adding podsecuritycontext
GDATASoftwareAG · Oct 11, 2024 · 6016bd0 · 6016bd0
2 parents da85c78 + 1daeaa3
commit 6016bd0
Show file tree

Hide file tree

Showing 8 changed files with 42 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -224,7 +224,8 @@ In addition, Sentry will always behave as follows:
 | gateway.resources.limits.memory           | Maximum memory usage                                                                                  | 512Mi                          |
 | gateway.resources.requests.cpu            | Requested CPU performance                                                                             | 0.5                            |
 | gateway.resources.requests.memory         | Requested memory usage                                                                                | 256Mi                          |
-| gateway.containerSecurityContext.enabled  | Enable/Disable container security context                                                             | false                          |
+| gateway.containerSecurityContext.enabled  | Enable/Disable container security context                                                             | true                           |
+| gateway.podSecurityContext.enabled        | Enable/Disable pod security context                                                                   | true                           |
 | gateway.uploadUrl                         | URL for the upload service                                                                            | "http://localhost:8080/upload" |
 | gateway.podAnnotations                    | Annotations for pods                                                                                  | {}                             |
 | gateway.nodeSelector                      | Node labels for pod assignment                                                                        | {}                             |

diff --git a/charts/vaas/Chart.yaml b/charts/vaas/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: vaas
-version: 2.1.7
+version: 2.2.0
 description: Deployment of a Verdict-as-a-Service on-premise instance
 maintainers:
   - name: G DATA CyberDefense AG
@@ -12,6 +12,6 @@ dependencies:
     condition: redis.enabled
     repository: oci://registry-1.docker.io/bitnamicharts
   - name: mini-identity-provider
-    version: 0.5.0
+    version: 0.6.0
     condition: mini-identity-provider.enabled
     repository: oci://ghcr.io/gdatasoftwareag
diff --git a/charts/vaas/templates/gateway/statefulset.yaml b/charts/vaas/templates/gateway/statefulset.yaml
@@ -26,6 +26,9 @@ spec:
       volumes:
         - name: gateway-tmp
           emptyDir: {}
+      {{- if .Values.gateway.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.gateway.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ include "gateway.name" . }}
           {{- if .Values.gateway.containerSecurityContext.enabled }}        

diff --git a/charts/vaas/templates/gdscan/deployment.yaml b/charts/vaas/templates/gdscan/deployment.yaml
@@ -36,6 +36,9 @@ spec:
           {{- end }}
         {{- end }}
       {{- include "gdscan.imagePullSecrets" . | nindent 6 }}
+      {{- if .Values.gdscan.client.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.gdscan.client.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ .Values.gdscan.client.name }}
           image: '{{ .Values.gdscan.client.image.repository }}:{{ .Values.gdscan.client.image.tag | default "latest" }}'
@@ -80,6 +83,4 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      securityContext:
-        fsGroup: 1654
 {{- end }}
diff --git a/charts/vaas/templates/gdscan/stateful-set.yaml b/charts/vaas/templates/gdscan/stateful-set.yaml
@@ -32,6 +32,9 @@ spec:
         {{- include "gdscan.selectorLabels" . | nindent 8 }}
     spec:
       {{- include "gdscan.imagePullSecrets" . | nindent 6 }}
+      {{- if .Values.gdscan.client.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.gdscan.client.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ .Values.gdscan.client.name }}
           image: "{{ .Values.gdscan.client.image.repository }}:{{ .Values.gdscan.client.image.tag | default .Chart.AppVersion }}"
@@ -76,6 +79,4 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      securityContext:
-        fsGroup: 1654
 {{- end }}
diff --git a/charts/vaas/templates/gdscan/update.yaml b/charts/vaas/templates/gdscan/update.yaml
@@ -71,6 +71,9 @@ spec:
                 - key: .dockerconfigjson
                   path: {{ .name }}.json
             {{- end }}
+          {{- if .Values.gdscan.autoUpdate.podSecurityContext.enabled }}
+          securityContext: {{- omit .Values.gdscan.autoUpdate.podSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           containers:
             - name: updater
               image: "{{ .Values.gdscan.autoUpdate.image.registry }}/{{ .Values.gdscan.autoUpdate.image.repository }}:{{ .Values.gdscan.autoUpdate.image.tag }}"

diff --git a/charts/vaas/values.yaml b/charts/vaas/values.yaml
@@ -43,6 +43,18 @@ mini-identity-provider:
   tolerations: []
   affinity: {}
 
+  podSecurityContext:
+    fsGroup: 1654
+
+  containerSecurityContext:
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    capabilities:
+      drop: ["ALL"]
+    seccompProfile:
+      type: RuntimeDefault
+
 cloud:
   hashLookup:
     enabled: true
@@ -123,6 +135,10 @@ gateway:
       cpu: 0.5
       memory: 256Mi
 
+  podSecurityContext:
+    enabled: true
+    fsGroup: 1654
+
   containerSecurityContext:
     enabled: true
     readOnlyRootFilesystem: true
@@ -171,6 +187,9 @@ gdscan:
       repository: ghcr.io/gdatasoftwareag/vaas/scanner
       pullPolicy: Always
       tag: "1"
+    podSecurityContext:
+      enabled: true
+      fsGroup: 1654
     containerSecurityContext:
       enabled: true
       readOnlyRootFilesystem: true
@@ -236,6 +255,9 @@ gdscan:
       registry: ghcr.io/gdatasoftwareag
       repository: vaas/scanner-updater
       tag: "0.4.1"
+    podSecurityContext:
+      enabled: true
+      fsGroup: 1654
     containerSecurityContext:
       enabled: true
       readOnlyRootFilesystem: true
@@ -268,6 +290,9 @@ redis:
         memory: 64Mi
     persistence:
       enabled: false
+    podSecurityContext:
+      enabled: true
+      fsGroup: 1654
     containerSecurityContext:
       enabled: true
       readOnlyRootFilesystem: true

diff --git a/helm.sh b/helm.sh
@@ -13,4 +13,4 @@ VALUES_FILE=$1
 helm dep up charts/vaas
 helm lint charts/vaas -f $VALUES_FILE
 helm template charts/vaas -f $VALUES_FILE
-helm upgrade --install vaas charts/vaas -f $VALUES_FILE -n vaas --create-namespace
+helm upgrade --install vaas charts/vaas -f $VALUES_FILE -n vaas --create-namespace --debug