From 353f589e0694083f5e062a64afdcd37ae08960b1 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 18 Jul 2024 12:37:59 -0400 Subject: [PATCH] Use restricted pod security standard Signed-off-by: Tamal Saha --- charts/dbgate/Chart.yaml | 2 +- charts/dbgate/README.md | 4 ++-- charts/dbgate/values.yaml | 20 ++++++++++---------- charts/mongo-ui/README.md | 2 +- charts/mongo-ui/values.yaml | 18 +++++++++--------- charts/pgadmin/Chart.yaml | 2 +- charts/pgadmin/README.md | 4 ++-- charts/pgadmin/templates/deployment.yaml | 17 ++++++++++++++--- charts/pgadmin/values.yaml | 15 ++++++++------- charts/phpmyadmin/Chart.yaml | 2 +- charts/phpmyadmin/README.md | 4 ++-- charts/phpmyadmin/values.yaml | 20 ++++++++++---------- hack/scripts/ct.sh | 12 ++++++------ 13 files changed, 67 insertions(+), 55 deletions(-) diff --git a/charts/dbgate/Chart.yaml b/charts/dbgate/Chart.yaml index 6197f570..e6e7a59b 100644 --- a/charts/dbgate/Chart.yaml +++ b/charts/dbgate/Chart.yaml @@ -3,7 +3,7 @@ name: dbgate description: DBGate Helm chart for Kubernetes type: application version: v2024.4.27 -appVersion: v2024.4.27 +appVersion: 5.3.1 home: https://dbgate.org icon: https://cdn.appscode.com/images/products/kubedb/kubedb-icon.png maintainers: diff --git a/charts/dbgate/README.md b/charts/dbgate/README.md index 9d15328e..b22befb5 100644 --- a/charts/dbgate/README.md +++ b/charts/dbgate/README.md @@ -56,7 +56,7 @@ The following table lists the configurable parameters of the `dbgate` chart and | replicaCount | | 1 | | image.repository | | "dbgate/dbgate" | | image.pullPolicy | | Always | -| image.tag | Overrides the image tag whose default is the chart appVersion. | "alpine" | +| image.tag | Overrides the image tag whose default is the chart appVersion. | "5.3.1-alpine" | | imagePullSecrets | | [] | | nameOverride | | "" | | fullnameOverride | | "" | @@ -65,7 +65,7 @@ The following table lists the configurable parameters of the `dbgate` chart and | serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | | podAnnotations | | {} | | podSecurityContext | | {} | -| securityContext | | {} | +| securityContext | | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} | | service.type | | ClusterIP | | service.port | | 80 | | resources | | {} | diff --git a/charts/dbgate/values.yaml b/charts/dbgate/values.yaml index 5f3e6cb6..b91d5589 100644 --- a/charts/dbgate/values.yaml +++ b/charts/dbgate/values.yaml @@ -22,7 +22,7 @@ image: repository: "dbgate/dbgate" pullPolicy: Always # Overrides the image tag whose default is the chart appVersion. - tag: "alpine" + tag: "5.3.1-alpine" imagePullSecrets: [] nameOverride: "" @@ -42,15 +42,15 @@ podAnnotations: {} podSecurityContext: {} # fsGroup: 2000 -securityContext: {} -# allowPrivilegeEscalation: false -# capabilities: -# drop: ["ALL"] -# readOnlyRootFilesystem: true -# runAsNonRoot: true -# runAsUser: 65534 -# # seccompProfile: -# # type: RuntimeDefault +securityContext: # +doc-gen:break + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault service: type: ClusterIP diff --git a/charts/mongo-ui/README.md b/charts/mongo-ui/README.md index bf91c67f..654e9967 100644 --- a/charts/mongo-ui/README.md +++ b/charts/mongo-ui/README.md @@ -65,7 +65,7 @@ The following table lists the configurable parameters of the `mongo-ui` chart an | serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | | podAnnotations | | {} | | podSecurityContext | | {} | -| securityContext | | {} | +| securityContext | | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} | | service.type | | ClusterIP | | service.port | | 80 | | resources | | {} | diff --git a/charts/mongo-ui/values.yaml b/charts/mongo-ui/values.yaml index 183d78ce..07af025e 100644 --- a/charts/mongo-ui/values.yaml +++ b/charts/mongo-ui/values.yaml @@ -42,15 +42,15 @@ podAnnotations: {} podSecurityContext: {} # fsGroup: 2000 -securityContext: {} - # allowPrivilegeEscalation: false - # capabilities: - # drop: ["ALL"] - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 65534 - # seccompProfile: - # type: RuntimeDefault +securityContext: # +doc-gen:break + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault service: type: ClusterIP diff --git a/charts/pgadmin/Chart.yaml b/charts/pgadmin/Chart.yaml index 4ac75bed..b4b66ca7 100644 --- a/charts/pgadmin/Chart.yaml +++ b/charts/pgadmin/Chart.yaml @@ -3,7 +3,7 @@ name: pgadmin description: pgAdmin Helm chart for Kubernetes type: application version: v2024.4.27 -appVersion: v2024.4.27 +appVersion: "8.9" home: https://www.pgadmin.org icon: https://cdn.appscode.com/images/products/kubedb/kubedb-icon.png maintainers: diff --git a/charts/pgadmin/README.md b/charts/pgadmin/README.md index ec1ec756..1572a989 100644 --- a/charts/pgadmin/README.md +++ b/charts/pgadmin/README.md @@ -56,7 +56,7 @@ The following table lists the configurable parameters of the `pgadmin` chart and | replicaCount | | 1 | | image.repository | | "dpage/pgadmin4" | | image.pullPolicy | | Always | -| image.tag | Overrides the image tag whose default is the chart appVersion. | "latest" | +| image.tag | Overrides the image tag whose default is the chart appVersion. | "" | | imagePullSecrets | | [] | | nameOverride | | "" | | fullnameOverride | | "" | @@ -65,7 +65,7 @@ The following table lists the configurable parameters of the `pgadmin` chart and | serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | | podAnnotations | | {} | | podSecurityContext | | {} | -| securityContext | | {} | +| securityContext | | {"allowPrivilegeEscalation":false,"runAsGroup":5050,"runAsNonRoot":true,"runAsUser":5050,"seccompProfile":{"type":"RuntimeDefault"}} | | service.type | | ClusterIP | | service.port | | 80 | | resources | | {} | diff --git a/charts/pgadmin/templates/deployment.yaml b/charts/pgadmin/templates/deployment.yaml index 4ef73f19..7a381d69 100644 --- a/charts/pgadmin/templates/deployment.yaml +++ b/charts/pgadmin/templates/deployment.yaml @@ -89,9 +89,16 @@ spec: value: "False" - name: PGADMIN_CONFIG_WTF_CSRF_ENABLED value: "False" + # avoid need for sudo + # https://github.com/pgadmin-org/pgadmin4/blob/REL-8_9/pkg/docker/entrypoint.sh#L94 + # postfix is used to send password reset emails. This feature is not used. + - name: PGADMIN_DISABLE_POSTFIX + value: "True" + - name: PGADMIN_LISTEN_PORT + value: "8080" ports: - name: http - containerPort: 80 + containerPort: 8080 protocol: TCP # livenessProbe: # httpGet: @@ -113,13 +120,17 @@ spec: mountPath: /pgadmin4/config_local.py subPath: config_local.py readOnly: true - - name: data + - name: datadir mountPath: /var/lib/pgadmin + - name: logdir + mountPath: /var/log/pgadmin volumes: - name: config secret: secretName: {{ include "pgadmin.serviceAccountName" . }}-config - - name: data + - name: datadir + emptyDir: {} + - name: logdir emptyDir: {} {{- if .Values.authzproxy.params.platformCABundle }} - name: platform-auth diff --git a/charts/pgadmin/values.yaml b/charts/pgadmin/values.yaml index 668e286c..5adb357c 100644 --- a/charts/pgadmin/values.yaml +++ b/charts/pgadmin/values.yaml @@ -22,7 +22,7 @@ image: repository: "dpage/pgadmin4" pullPolicy: Always # Overrides the image tag whose default is the chart appVersion. - tag: "latest" + tag: "" imagePullSecrets: [] nameOverride: "" @@ -42,15 +42,16 @@ podAnnotations: {} podSecurityContext: {} # fsGroup: 2000 -securityContext: {} - # allowPrivilegeEscalation: false +securityContext: # +doc-gen:break + allowPrivilegeEscalation: false # capabilities: # drop: ["ALL"] # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 65534 - # seccompProfile: - # type: RuntimeDefault + runAsNonRoot: true + runAsUser: 5050 + runAsGroup: 5050 + seccompProfile: + type: RuntimeDefault service: type: ClusterIP diff --git a/charts/phpmyadmin/Chart.yaml b/charts/phpmyadmin/Chart.yaml index 78f5bd29..05eab6c7 100644 --- a/charts/phpmyadmin/Chart.yaml +++ b/charts/phpmyadmin/Chart.yaml @@ -3,7 +3,7 @@ name: phpmyadmin description: phpMyAdmin Helm chart for Kubernetes type: application version: v2024.4.27 -appVersion: v2024.4.27 +appVersion: 5.2.1 home: https://www.phpmyadmin.net icon: https://cdn.appscode.com/images/products/kubedb/kubedb-icon.png maintainers: diff --git a/charts/phpmyadmin/README.md b/charts/phpmyadmin/README.md index 10061098..b7162476 100644 --- a/charts/phpmyadmin/README.md +++ b/charts/phpmyadmin/README.md @@ -56,7 +56,7 @@ The following table lists the configurable parameters of the `phpmyadmin` chart | replicaCount | | 1 | | image.repository | | "phpmyadmin" | | image.pullPolicy | | Always | -| image.tag | Overrides the image tag whose default is the chart appVersion. | "latest" | +| image.tag | Overrides the image tag whose default is the chart appVersion. | "" | | imagePullSecrets | | [] | | nameOverride | | "" | | fullnameOverride | | "" | @@ -65,7 +65,7 @@ The following table lists the configurable parameters of the `phpmyadmin` chart | serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | | podAnnotations | | {} | | podSecurityContext | | {} | -| securityContext | | {} | +| securityContext | | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} | | service.type | | ClusterIP | | service.port | | 80 | | resources | | {} | diff --git a/charts/phpmyadmin/values.yaml b/charts/phpmyadmin/values.yaml index 09fb1114..96c5567d 100644 --- a/charts/phpmyadmin/values.yaml +++ b/charts/phpmyadmin/values.yaml @@ -22,7 +22,7 @@ image: repository: "phpmyadmin" pullPolicy: Always # Overrides the image tag whose default is the chart appVersion. - tag: "latest" + tag: "" imagePullSecrets: [] nameOverride: "" @@ -42,15 +42,15 @@ podAnnotations: {} podSecurityContext: {} # fsGroup: 2000 -securityContext: {} - # allowPrivilegeEscalation: false - # capabilities: - # drop: ["ALL"] - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 65534 - # seccompProfile: - # type: RuntimeDefault +securityContext: # +doc-gen:break + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault service: type: ClusterIP diff --git a/hack/scripts/ct.sh b/hack/scripts/ct.sh index ac8d076d..3f420737 100755 --- a/hack/scripts/ct.sh +++ b/hack/scripts/ct.sh @@ -23,12 +23,12 @@ for dir in charts/*/; do echo $dir if [ $num_files -le 1 ]; then make ct CT_COMMAND=lint TEST_CHARTS=charts/$dir - elif [[ "$dir" = "dbgate" ]] || - [[ "$dir" = "kafka-ui" ]] || - [[ "$dir" = "mongo-ui" ]] || - [[ "$dir" = "pgadmin" ]] || - [[ "$dir" = "phpmyadmin" ]]; then - make ct TEST_CHARTS=charts/$dir || true + # elif [[ "$dir" = "dbgate" ]] || + # [[ "$dir" = "kafka-ui" ]] || + # [[ "$dir" = "mongo-ui" ]] || + # [[ "$dir" = "pgadmin" ]] || + # [[ "$dir" = "phpmyadmin" ]]; then + # make ct TEST_CHARTS=charts/$dir || true else ns=app-$(date +%s | head -c 6) kubectl create ns $ns