test-container-security-context

Signed-off-by: yminer <[email protected]> update for trivy and db update db-ss init container Signed-off-by: yminer <[email protected]> update core-pre-upgrade-job.yaml Signed-off-by: yminer <[email protected]> update values.yaml fix core-pre-upgrade-job typo
goharbor · Feb 23, 2024 · 7913d7e · 7913d7e
1 parent 8d2e551
commit 7913d7e
Show file tree

Hide file tree

Showing 11 changed files with 52 additions and 3 deletions.
diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml
@@ -144,6 +144,9 @@ spec:
 {{- with .Values.core.extraEnvVars }}
 {{- toYaml . | nindent 10 }}
 {{- end }}
+        {{- if not (empty .Values.containerSecurityContext) }}
+        securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         ports:
         - containerPort: {{ template "harbor.core.containerPort" . }}
         volumeMounts:

diff --git a/templates/core/core-pre-upgrade-job.yaml b/templates/core/core-pre-upgrade-job.yaml
@@ -47,6 +47,9 @@ spec:
               secretKeyRef:
                 name: {{ .Values.database.external.existingSecret }}
                 key: password
+        {{- end }}
+        {{- if not (empty .Values.containerSecurityContext) }}
+        securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
         {{- end }}               
         volumeMounts:
         - name: config

diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml
@@ -48,6 +48,9 @@ spec:
       - name: "data-migrator"
         image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
+        {{- if not (empty .Values.containerSecurityContext) }}
+        securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         command: ["/bin/sh"]
         args: ["-c", "[ -e /var/lib/postgresql/data/postgresql.conf ] && [ ! -d /var/lib/postgresql/data/pgdata ] && mkdir -m 0700 /var/lib/postgresql/data/pgdata && mv /var/lib/postgresql/data/* /var/lib/postgresql/data/pgdata/ || true"]
 {{- if .Values.database.internal.initContainer.migrator.resources }}
@@ -65,6 +68,9 @@ spec:
       - name: "data-permissions-ensurer"
         image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
+        {{- if not (empty .Values.containerSecurityContext) }}
+        securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         command: ["/bin/sh"]
         args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"]
 {{- if .Values.database.internal.initContainer.permissions.resources }}
@@ -79,6 +85,9 @@ spec:
       - name: database
         image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
+        {{- if not (empty .Values.containerSecurityContext) }}
+        securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         livenessProbe:
           exec:
             command:

diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml
@@ -99,6 +99,9 @@ spec:
         env:
 {{- toYaml . | nindent 10 }}
 {{- end }}
+        {{- if not (empty .Values.containerSecurityContext) }}
+        securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         ports:
         - containerPort: {{ .Values.metrics.exporter.port }}
         volumeMounts:

diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml
@@ -116,6 +116,9 @@ spec:
 {{- with .Values.jobservice.extraEnvVars }}
 {{- toYaml . | nindent 10 }}
 {{- end }}
+        {{- if not (empty .Values.containerSecurityContext) }}
+        securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         envFrom:
         - configMapRef:
             name: "{{ template "harbor.jobservice" . }}-env"

diff --git a/templates/nginx/deployment.yaml b/templates/nginx/deployment.yaml
@@ -87,6 +87,9 @@ spec:
         env:
 {{- toYaml . | nindent 10 }}
 {{- end }}
+        {{- if not (empty .Values.containerSecurityContext) }}
+        securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         ports:
         - containerPort: 8080
         {{- if .Values.expose.tls.enabled }}

diff --git a/templates/portal/deployment.yaml b/templates/portal/deployment.yaml
@@ -64,6 +64,9 @@ spec:
         env:
 {{- toYaml . | nindent 10 }}
 {{- end }}
+        {{- if not (empty .Values.containerSecurityContext) }}
+        securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         livenessProbe:
           httpGet:
             path: /

diff --git a/templates/redis/statefulset.yaml b/templates/redis/statefulset.yaml
@@ -43,6 +43,9 @@ spec:
       - name: redis
         image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
+        {{- if not (empty .Values.containerSecurityContext) }}
+        securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         livenessProbe:
           tcpSocket:
             port: 6379

diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml
@@ -86,6 +86,9 @@ spec:
         resources:
 {{ toYaml .Values.registry.registry.resources | indent 10 }}
 {{- end }}
+        {{- if not (empty .Values.containerSecurityContext) }}
+        securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         args: ["serve", "/etc/registry/config.yml"]
         envFrom:
         - secretRef:
@@ -222,6 +225,9 @@ spec:
         resources:
 {{ toYaml .Values.registry.controller.resources | indent 10 }}
 {{- end }}
+        {{- if not (empty .Values.containerSecurityContext) }}
+        securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }}
+        {{- end }}
         envFrom:
         - configMapRef:
             name: "{{ template "harbor.registryCtl" . }}"

diff --git a/templates/trivy/trivy-sts.yaml b/templates/trivy/trivy-sts.yaml
@@ -58,9 +58,9 @@ spec:
         - name: trivy
           image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }}
           imagePullPolicy: {{ .Values.imagePullPolicy }}
-          securityContext:
-            privileged: false
-            allowPrivilegeEscalation: false
+          {{- if not (empty .Values.containerSecurityContext) }}
+          securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 12 }}
+          {{- end }}
           env:
           {{- if has "trivy" .Values.proxy.components }}
             - name: HTTP_PROXY

diff --git a/values.yaml b/values.yaml
@@ -457,6 +457,19 @@ cache:
   # default keep cache for one day.
   expireHours: 24
 
+## set Container Security Context to comply with PSP restricted policy if necessary
+## each of the conatiner will apply the same security context
+## containerSecurityContext:{} is initially an empty yaml that you could edit it on demand, we just filled with a common template for convenience
+containerSecurityContext:
+  privileged: false
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: RuntimeDefault
+  runAsNonRoot: true
+  capabilities:
+    drop:
+      - ALL
+
 # If service exposed via "ingress", the Nginx will not be used
 nginx:
   image: