Prepare for k8s 1.25 (#218)

* Use registry gsoci * Use namespace value from .Release.Namespace * Add PSS switch * Render service account independent from PSP * Remove imagePullPolicy * Add security settings * Add .global.podSecurityStandards.enforced to values * Add ORIGIN variable * Remove 'https://' from ORIGINS dummy value * Remove quotes
giantswarm · Feb 16, 2024 · 59ab202 · 59ab202
1 parent 883f6dd
commit 59ab202
Show file tree

Hide file tree

Showing 9 changed files with 50 additions and 21 deletions.
diff --git a/helm/handbook/templates/handbook-deployment.yaml b/helm/handbook/templates/handbook-deployment.yaml
@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  namespace: intranet
+  namespace: {{ .Release.Namespace }}
   name: handbook
   labels:
     app: handbook
@@ -19,6 +19,8 @@ spec:
     spec:
       securityContext:
         runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -30,8 +32,15 @@ spec:
             weight: 100
       containers:
         - name: handbook
-          image: quay.io/giantswarm/handbook:{{ .Chart.Version }}
-          imagePullPolicy: Always
+          image: gsoci.azurecr.io/giantswarm/handbook:{{ .Chart.Version }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+                - ALL
           ports:
             - containerPort: 8080
               name: http

diff --git a/helm/handbook/templates/handbook-service.yaml b/helm/handbook/templates/handbook-service.yaml
@@ -1,7 +1,7 @@
 kind: Service
 apiVersion: v1
 metadata:
-  namespace: intranet
+  namespace: {{ .Release.Namespace }}
   name: handbook
   labels:
     app: handbook

diff --git a/helm/handbook/templates/ingress.yaml b/helm/handbook/templates/ingress.yaml
@@ -1,7 +1,7 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  namespace: intranet
+  namespace: {{ .Release.Namespace }}
   name: handbook
   labels:
     app: handbook

diff --git a/helm/handbook/templates/pdb.yaml b/helm/handbook/templates/pdb.yaml
@@ -2,7 +2,7 @@ apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: handbook
-  namespace: intranet
+  namespace: {{ .Release.Namespace }}
 spec:
   minAvailable: 1
   selector:

diff --git a/helm/handbook/templates/psp-rbac.yaml b/helm/handbook/templates/psp-rbac.yaml
@@ -1,3 +1,4 @@
+{{- if not (((.Values.global).podSecurityStandards).enforced) }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@@ -24,17 +25,11 @@ spec:
   - configMap
   - emptyDir
 ---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  namespace: intranet
-  name: handbook
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: handbook
-  namespace: intranet
+  namespace: {{ .Release.Namespace }}
 rules:
 - apiGroups:
   - extensions
@@ -49,12 +44,13 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: handbook
-  namespace: intranet
+  namespace: {{ .Release.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: handbook
 subjects:
 - kind: ServiceAccount
   name: handbook
-  namespace: intranet
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm/handbook/templates/sa.yaml b/helm/handbook/templates/sa.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: handbook
+  namespace: {{ .Release.Namespace }}
diff --git a/helm/handbook/templates/staticjscms-deployment.yaml b/helm/handbook/templates/staticjscms-deployment.yaml
@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  namespace: intranet
+  namespace: {{ .Release.Namespace }}
   name: staticjscms-hugo-standalone
   labels:
     app: staticjscms-hugo-standalone
@@ -19,6 +19,8 @@ spec:
     spec:
       securityContext:
         runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -31,8 +33,20 @@ spec:
       containers:
         - name: staticjscms-hugo-standalone
           image: gsoci.azurecr.io/giantswarm/staticjscms-hugo-standalone:{{ .Values.staticJsCmsHugoStandaloneVersion }}
-          imagePullPolicy: Always
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+                - ALL
           env:
+            - name: ORIGIN
+              valueFrom:
+                secretKeyRef:
+                  name: staticjscms-secret
+                  key: ORIGINS
             - name: ORIGINS
               valueFrom:
                 secretKeyRef:

diff --git a/helm/handbook/templates/staticjscms-service.yaml b/helm/handbook/templates/staticjscms-service.yaml
@@ -1,7 +1,7 @@
 kind: Service
 apiVersion: v1
 metadata:
-  namespace: intranet
+  namespace: {{ .Release.Namespace }}
   name: staticjscms-hugo-standalone
   labels:
     app: staticjscms-hugo-standalone

diff --git a/helm/handbook/values.yaml b/helm/handbook/values.yaml
@@ -5,11 +5,11 @@ secrets:
   - name: staticjscms-secret
     data:
       - key: ORIGINS
-        value: "aHR0cHM6Ly9oYW5kYm9vay5naWFudHN3YXJtLmlv"
+        value: aGFuZGJvb2suZ2lhbnRzd2FybS5pbw==
       - key: OAUTH_CLIENT_ID
-        value: "MjE5OTEyMzk5MWFzZGVhZGJlZWY="
+        value: MjE5OTEyMzk5MWFzZGVhZGJlZWY=
       - key: OAUTH_CLIENT_SECRET
-        value: "YWFkc3NhZGFkYWRhZGFkMTIzMTIzMTIzMWFkYWRhZDEyMzEyM2FiYw=="
+        value: YWFkc3NhZGFkYWRhZGFkMTIzMTIzMTIzMWFkYWRhZDEyMzEyM2FiYw==
       - key: GIT_HOSTNAME
         value: ""
   - name: cms-config
@@ -29,3 +29,7 @@ volumeMounts:
   - name: cms-config
     mountPath: "/app/config.yml"
     subPath: "config.yml"
+
+global:
+  podSecurityStandards:
+    enforced: false