fix(charts): add security profiles to BPDM deployment containers

- adds seccomp and app armor profiles - security context configuration now affects also initcontainers
eclipse-tractusx · Jan 14, 2025 · d2eafec · d2eafec
1 parent 10ab9b5
commit d2eafec
Show file tree

Hide file tree

Showing 13 changed files with 33 additions and 11 deletions.
diff --git a/charts/bpdm/CHANGELOG.md b/charts/bpdm/CHANGELOG.md
@@ -15,6 +15,9 @@ The format is based on Keep a Changelog (https://keepachangelog.com/en/1.0.0/),
 - update BPDM Cleaning Service Dummy Chart to version 3.3.0
 - update BPDM Bridge Chart to version 3.3.0
 - update Central-IDP dependency to 4.0.0 [#1145](https://github.com/eclipse-tractusx/bpdm/pull/1145)
+- Add missing app armor profiles for BPDM application containers [#1153](https://github.com/eclipse-tractusx/bpdm/issues/1153)
+- Add missing seccomp profiles for BPDM application containers [#1152](https://github.com/eclipse-tractusx/bpdm/issues/1152)
+
 
 ## [5.2.0] -  2024-11-28
 

diff --git a/charts/bpdm/Chart.yaml b/charts/bpdm/Chart.yaml
@@ -49,7 +49,7 @@ dependencies:
     alias: bpdm-orchestrator
     condition: bpdm-orchestrator.enabled
   - name: bpdm-common
-    version: 1.0.2
+    version: 1.0.3-SNAPSHOT
   - name: postgresql
     version: 12.12.10
     repository: https://charts.bitnami.com/bitnami

diff --git a/charts/bpdm/charts/bpdm-cleaning-service-dummy/CHANGELOG.md b/charts/bpdm/charts/bpdm-cleaning-service-dummy/CHANGELOG.md
@@ -8,6 +8,8 @@ The format is based on Keep a Changelog (https://keepachangelog.com/en/1.0.0/),
 
 - Increase appversion to 6.3.0
 - update Central-IDP dependency to 4.0.0 [#1145](https://github.com/eclipse-tractusx/bpdm/pull/1145)
+- Add missing app armor profile [#1153](https://github.com/eclipse-tractusx/bpdm/issues/1153)
+- Add missing seccomp profile [#1152](https://github.com/eclipse-tractusx/bpdm/issues/1152)
 
 ## [3.2.0] - 2024-11-28
 

diff --git a/charts/bpdm/charts/bpdm-cleaning-service-dummy/values.yaml b/charts/bpdm/charts/bpdm-cleaning-service-dummy/values.yaml
@@ -40,6 +40,8 @@ springProfiles: []
 securityContext:
   seccompProfile:
     type: RuntimeDefault
+  appArmorProfile:
+    type: RuntimeDefault
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   readOnlyRootFilesystem: true

diff --git a/charts/bpdm/charts/bpdm-common/CHANGELOG.md b/charts/bpdm/charts/bpdm-common/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on Keep a Changelog (https://keepachangelog.com/en/1.0.0/),
 
+## [1.0.3] - tbd
+
+### Changed
+
+- Add security context configuration to the deployment's init container
+
 ## [1.0.2] - 2024-10-25
 
 ### Changed

diff --git a/charts/bpdm/charts/bpdm-common/Chart.yaml b/charts/bpdm/charts/bpdm-common/Chart.yaml
@@ -21,7 +21,7 @@
 apiVersion: v2
 type: library
 name: bpdm-common
-version: 1.0.2
+version: 1.0.3-SNAPSHOT
 description: A library Helm Chart for other BPDM Charts
 home: https://eclipse-tractusx.github.io/docs/kits/Business%20Partner%20Kit/Adoption%20View
 sources:

diff --git a/charts/bpdm/charts/bpdm-common/templates/_deployment.tpl b/charts/bpdm/charts/bpdm-common/templates/_deployment.tpl
@@ -49,7 +49,7 @@ spec:
       # @url: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
       automountServiceAccountToken: false
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.securityContext | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
@@ -84,14 +84,7 @@ spec:
         - name: startup-delay
           image: busybox:1.28
           securityContext:
-            allowPrivilegeEscalation: false
-            runAsNonRoot: true
-            readOnlyRootFilesystem: true
-            runAsUser: 10001
-            runAsGroup: 10001
-            capabilities:
-              drop:
-                - ALL
+            {{- toYaml .Values.securityContext | nindent 12 }}
           command: ['sh', '-c', "sleep {{ $.Values.startupDelaySeconds }}"]
       {{- with .Values.nodeSelector }}
       nodeSelector:

diff --git a/charts/bpdm/charts/bpdm-gate/CHANGELOG.md b/charts/bpdm/charts/bpdm-gate/CHANGELOG.md
@@ -8,6 +8,8 @@ The format is based on Keep a Changelog (https://keepachangelog.com/en/1.0.0/),
 
 - Increase appversion to 6.3.0
 - update Central-IDP dependency to 4.0.0 [#1145](https://github.com/eclipse-tractusx/bpdm/pull/1145)
+- Add missing app armor profile [#1153](https://github.com/eclipse-tractusx/bpdm/issues/1153)
+- Add missing seccomp profile [#1152](https://github.com/eclipse-tractusx/bpdm/issues/1152)
 
 ## [6.2.0] - 2024-11-28
 

diff --git a/charts/bpdm/charts/bpdm-gate/values.yaml b/charts/bpdm/charts/bpdm-gate/values.yaml
@@ -38,6 +38,10 @@ podAnnotations: {}
 springProfiles: []
 
 securityContext:
+  seccompProfile:
+    type: RuntimeDefault
+  appArmorProfile:
+    type: RuntimeDefault
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   readOnlyRootFilesystem: true

diff --git a/charts/bpdm/charts/bpdm-orchestrator/CHANGELOG.md b/charts/bpdm/charts/bpdm-orchestrator/CHANGELOG.md
@@ -8,6 +8,8 @@ The format is based on Keep a Changelog (https://keepachangelog.com/en/1.0.0/),
 
 - Increase appversion to 6.3.0
 - update Central-IDP dependency to 4.0.0 [#1145](https://github.com/eclipse-tractusx/bpdm/pull/1145)
+- Add missing app armor profile [#1153](https://github.com/eclipse-tractusx/bpdm/issues/1153)
+- Add missing seccomp profile [#1152](https://github.com/eclipse-tractusx/bpdm/issues/1152)
 
 ## [3.2.0] - 2024-11-28
 

diff --git a/charts/bpdm/charts/bpdm-orchestrator/values.yaml b/charts/bpdm/charts/bpdm-orchestrator/values.yaml
@@ -40,6 +40,8 @@ springProfiles: []
 securityContext:
   seccompProfile:
     type: RuntimeDefault
+  appArmorProfile:
+    type: RuntimeDefault
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   readOnlyRootFilesystem: true

diff --git a/charts/bpdm/charts/bpdm-pool/CHANGELOG.md b/charts/bpdm/charts/bpdm-pool/CHANGELOG.md
@@ -8,6 +8,8 @@ The format is based on Keep a Changelog (https://keepachangelog.com/en/1.0.0/),
 
 - Increase appversion to 6.3.0
 - update Central-IDP dependency to 4.0.0 [#1145](https://github.com/eclipse-tractusx/bpdm/pull/1145)
+- Add missing app armor profile [#1153](https://github.com/eclipse-tractusx/bpdm/issues/1153)
+- Add missing seccomp profile [#1152](https://github.com/eclipse-tractusx/bpdm/issues/1152)
 
 ## [7.2.0] - 2024-11-28
 

diff --git a/charts/bpdm/charts/bpdm-pool/values.yaml b/charts/bpdm/charts/bpdm-pool/values.yaml
@@ -38,6 +38,10 @@ podAnnotations: {}
 springProfiles: []
 
 securityContext:
+  seccompProfile:
+    type: RuntimeDefault
+  appArmorProfile:
+    type: RuntimeDefault
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   readOnlyRootFilesystem: true