Merge pull request #2620 from alphagov/update-init-containers-PSS-com…

…pliant Update init containers to be PSS compliant in the apps namespace
alphagov · Oct 4, 2024 · d42e649 · d42e649
2 parents 862b334 + 6eb6ac4
commit d42e649
Show file tree

Hide file tree

Showing 6 changed files with 28 additions and 6 deletions.
diff --git a/charts/db-backup/values.yaml b/charts/db-backup/values.yaml
@@ -53,6 +53,8 @@ securityContext:
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 1001
+  seccompProfile:
+    type: RuntimeDefault
 
 serviceAccount:
   create: true

diff --git a/charts/generic-govuk-app/templates/assets-upload-job.yaml b/charts/generic-govuk-app/templates/assets-upload-job.yaml
@@ -45,8 +45,11 @@ spec:
             - name: assets-to-upload
               mountPath: /assets-to-upload
           securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default "false" }}
+            runAsNonRoot: {{ .Values.securityContext.runAsNonRoot | default "true" }}
+            readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default "true" }}
+            seccompProfile:
+              type: RuntimeDefault
             capabilities:
               drop: ["ALL"]
       containers:

diff --git a/charts/generic-govuk-app/templates/deployment.yaml b/charts/generic-govuk-app/templates/deployment.yaml
@@ -63,6 +63,15 @@ spec:
           volumeMounts:
             - name: assets
               mountPath: /assets
+          securityContext:
+            allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default "false" }}
+            runAsNonRoot: {{ .Values.securityContext.runAsNonRoot | default "true" }}
+            readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default "true" }}
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop: ["ALL"]
+
       {{- end }}
       containers:
         - name: app
@@ -127,7 +136,7 @@ spec:
           {{- end }}
           securityContext:
             allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation }}
-            readOnlyRootFilesystem: true
+            readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFileSystem }}
             capabilities:
               drop: ["ALL"]
           volumeMounts:

diff --git a/charts/generic-govuk-app/values.yaml b/charts/generic-govuk-app/values.yaml
@@ -157,6 +157,9 @@ securityContext:
   allowPrivilegeEscalation: false
   runAsUser: 1001
   runAsGroup: 1001
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop: ["ALL"]
 
 sentry:
   enabled: true

diff --git a/charts/govuk-jobs/templates/govuk-mirror-sync-cronjob.yaml b/charts/govuk-jobs/templates/govuk-mirror-sync-cronjob.yaml
@@ -50,8 +50,13 @@ spec:
                   cpu: 2
                   memory: 15000Mi
               securityContext:
-                allowPrivilegeEscalation: false
-                readOnlyRootFilesystem: true
+                allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default "false" }}
+                runAsNonRoot: {{ .Values.securityContext.runAsNonRoot | default "true" }}
+                readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default "true" }}
+                seccompProfile:
+                  type: RuntimeDefault
+                capabilities:
+                  drop: {{ .Values.securityContext.capabilities.drop }}
               volumeMounts:
                 - name: app-mirror-sync
                   mountPath: /data

diff --git a/charts/govuk-jobs/values.yaml b/charts/govuk-jobs/values.yaml
@@ -11,7 +11,7 @@ podSecurityContext:
 securityContext:
   allowPrivilegeEscalation: false
   capabilities:
-    drop: [ALL]
+    drop: ["ALL"]
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 1001