From 81709b45ef83ebd7e2a7fb99ee4ef3bb3b6b5c71 Mon Sep 17 00:00:00 2001
From: Zemtsov Vladimir <zemtsov.v@mail366.com>
Date: Fri, 10 Feb 2023 10:07:00 +0200
Subject: [PATCH 1/2] refactor(helm): add control for securityContext

Signed-off-by: Zemtsov Vladimir <zemtsov.v@mail366.com>
---
 charts/capsule/Chart.yaml                |  2 +-
 charts/capsule/README.md                 |  2 ++
 charts/capsule/templates/daemonset.yaml  |  6 +++++-
 charts/capsule/templates/deployment.yaml |  6 +++++-
 charts/capsule/values.yaml               | 15 +++++++++++++++
 5 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/charts/capsule/Chart.yaml b/charts/capsule/Chart.yaml
index a73dea5f..f3adde84 100644
--- a/charts/capsule/Chart.yaml
+++ b/charts/capsule/Chart.yaml
@@ -21,7 +21,7 @@ sources:
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.3.2
+version: 0.3.3
 
 # This is the version number of the application being deployed.
 # This version number should be incremented each time you make changes to the application.
diff --git a/charts/capsule/README.md b/charts/capsule/README.md
index a84dfaff..734268f3 100644
--- a/charts/capsule/README.md
+++ b/charts/capsule/README.md
@@ -72,9 +72,11 @@ Here the values you can override:
 | mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks |
 | nodeSelector | object | `{}` | Set the node selector for the Capsule pod |
 | podAnnotations | object | `{}` | Annotations to add to the capsule pod. |
+| podSecurityContext | object | `{"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Set the securityContext for the Capsule pod |
 | podSecurityPolicy.enabled | bool | `false` | Specify if a Pod Security Policy must be created |
 | priorityClassName | string | `""` | Set the priority class name of the Capsule pod |
 | replicaCount | int | `1` | Set the replica count for capsule pod |
+| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | Set the securityContext for the Capsule container |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
 | serviceAccount.name | string | `"capsule"` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template |
diff --git a/charts/capsule/templates/daemonset.yaml b/charts/capsule/templates/daemonset.yaml
index 293442b8..194381b7 100644
--- a/charts/capsule/templates/daemonset.yaml
+++ b/charts/capsule/templates/daemonset.yaml
@@ -29,6 +29,10 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "capsule.serviceAccountName" . }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- if .Values.manager.hostNetwork }}
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
@@ -84,5 +88,5 @@ spec:
           resources:
             {{- toYaml .Values.manager.resources | nindent 12 }}
           securityContext:
-            allowPrivilegeEscalation: false
+            {{- toYaml .Values.securityContext | nindent 12 }}
 {{- end }}
diff --git a/charts/capsule/templates/deployment.yaml b/charts/capsule/templates/deployment.yaml
index c0a6ebfb..fa70d591 100644
--- a/charts/capsule/templates/deployment.yaml
+++ b/charts/capsule/templates/deployment.yaml
@@ -28,6 +28,10 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "capsule.serviceAccountName" . }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- if .Values.manager.hostNetwork }}
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
@@ -83,5 +87,5 @@ spec:
           resources:
             {{- toYaml .Values.manager.resources | nindent 12 }}
           securityContext:
-            allowPrivilegeEscalation: false
+            {{- toYaml .Values.securityContext | nindent 12 }}
 {{- end }}
diff --git a/charts/capsule/values.yaml b/charts/capsule/values.yaml
index 0023f1f9..12e8c592 100644
--- a/charts/capsule/values.yaml
+++ b/charts/capsule/values.yaml
@@ -77,6 +77,21 @@ podAnnotations: {}
 # -- Set the priority class name of the Capsule pod
 priorityClassName: '' # system-cluster-critical
 
+# -- Set the securityContext for the Capsule pod
+podSecurityContext:
+  runAsGroup: 1002
+  runAsNonRoot: true
+  runAsUser: 1002
+
+
+# -- Set the securityContext for the Capsule container
+securityContext:
+  capabilities:
+    drop:
+    - ALL
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+
 # -- Set the node selector for the Capsule pod
 nodeSelector: {}
 #  node-role.kubernetes.io/master: ""

From 60d4f62987e29e10a622826f7f09205cc97f7428 Mon Sep 17 00:00:00 2001
From: Zemtsov Vladimir <zemtsov.v@mail366.com>
Date: Fri, 10 Feb 2023 11:10:49 +0200
Subject: [PATCH 2/2] refactor(helm): add default seccompProfile

Signed-off-by: Zemtsov Vladimir <zemtsov.v@mail366.com>
---
 charts/capsule/README.md   | 2 +-
 charts/capsule/values.yaml | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/charts/capsule/README.md b/charts/capsule/README.md
index 734268f3..43b7f5e6 100644
--- a/charts/capsule/README.md
+++ b/charts/capsule/README.md
@@ -72,7 +72,7 @@ Here the values you can override:
 | mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks |
 | nodeSelector | object | `{}` | Set the node selector for the Capsule pod |
 | podAnnotations | object | `{}` | Annotations to add to the capsule pod. |
-| podSecurityContext | object | `{"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002}` | Set the securityContext for the Capsule pod |
+| podSecurityContext | object | `{"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002,"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Capsule pod |
 | podSecurityPolicy.enabled | bool | `false` | Specify if a Pod Security Policy must be created |
 | priorityClassName | string | `""` | Set the priority class name of the Capsule pod |
 | replicaCount | int | `1` | Set the replica count for capsule pod |
diff --git a/charts/capsule/values.yaml b/charts/capsule/values.yaml
index 12e8c592..a8425cbb 100644
--- a/charts/capsule/values.yaml
+++ b/charts/capsule/values.yaml
@@ -79,6 +79,8 @@ priorityClassName: '' # system-cluster-critical
 
 # -- Set the securityContext for the Capsule pod
 podSecurityContext:
+  seccompProfile:
+    type: "RuntimeDefault"
   runAsGroup: 1002
   runAsNonRoot: true
   runAsUser: 1002