Skip to content

Commit

Permalink
chore(seeding): add securityContext to initContainers (#203)
Browse files Browse the repository at this point in the history
  • Loading branch information
evegufy authored Oct 14, 2024
1 parent 19eca8e commit 0775945
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 2 deletions.
17 changes: 16 additions & 1 deletion charts/centralidp/templates/job-seeding.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -226,6 +226,13 @@ spec:
mountPath: "app/realms"
initContainers:

Check warning on line 227 in charts/centralidp/templates/job-seeding.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Container Running With Low UID

Check if containers are running with low UID, which might cause conflicts with the host's user table.

Check warning on line 227 in charts/centralidp/templates/job-seeding.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Memory Limits Not Defined

Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory

Check warning on line 227 in charts/centralidp/templates/job-seeding.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Memory Limits Not Defined

Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory

Check warning on line 227 in charts/centralidp/templates/job-seeding.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Memory Requests Not Defined

Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes

Check warning on line 227 in charts/centralidp/templates/job-seeding.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Memory Requests Not Defined

Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes

Check warning on line 227 in charts/centralidp/templates/job-seeding.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Seccomp Profile Is Not Configured

Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls

Check warning on line 227 in charts/centralidp/templates/job-seeding.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Seccomp Profile Is Not Configured

Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls
- name: init-cx-central
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
image: {{ .Values.realmSeeding.initContainer.image.name }}
imagePullPolicy: {{ .Values.realmSeeding.initContainer.image.pullPolicy }}
command:
Expand All @@ -239,7 +246,15 @@ spec:
- name: realms
mountPath: "app/realms"
- name: wait-for-keycloak
image: appropriate/curl:latest
image: alpine/curl:latest
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 3000

Check warning on line 257 in charts/centralidp/templates/job-seeding.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Container Running With Low UID

Check if containers are running with low UID, which might cause conflicts with the host's user table.
{{ if .Values.realmSeeding.keycloakServiceTls -}}
command: [ 'sh', '-c', 'until curl -s https://{{ template "centralidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ]
{{- else -}}
Expand Down
17 changes: 16 additions & 1 deletion charts/sharedidp/templates/job-seeding.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,13 @@ spec:
mountPath: "app/realms"
initContainers:
- name: init-cx-central
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
image: {{ .Values.realmSeeding.initContainer.image.name }}
imagePullPolicy: {{ .Values.realmSeeding.initContainer.image.pullPolicy }}
command:
Expand All @@ -205,7 +212,15 @@ spec:
- name: realms
mountPath: "app/realms"
- name: wait-for-keycloak
image: appropriate/curl:latest
image: alpine/curl:latest
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 3000
{{ if .Values.realmSeeding.keycloakServiceTls -}}
command: [ 'sh', '-c', 'until curl -s https://{{ template "sharedidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ]
{{- else -}}
Expand Down

0 comments on commit 0775945

Please sign in to comment.