diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index 9a92b45a4..8c551b899 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -144,6 +144,9 @@ spec: {{- with .Values.core.extraEnvVars }} {{- toYaml . | nindent 10 }} {{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} ports: - containerPort: {{ template "harbor.core.containerPort" . }} volumeMounts: diff --git a/templates/core/core-pre-upgrade-job.yaml b/templates/core/core-pre-upgrade-job.yaml index 43c9d3596..ce0b13134 100644 --- a/templates/core/core-pre-upgrade-job.yaml +++ b/templates/core/core-pre-upgrade-job.yaml @@ -47,6 +47,9 @@ spec: secretKeyRef: name: {{ .Values.database.external.existingSecret }} key: password + {{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} {{- end }} volumeMounts: - name: config diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml index 3b08b07ef..501097124 100644 --- a/templates/database/database-ss.yaml +++ b/templates/database/database-ss.yaml @@ -48,6 +48,9 @@ spec: - name: "data-migrator" image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} command: ["/bin/sh"] args: ["-c", "[ -e /var/lib/postgresql/data/postgresql.conf ] && [ ! -d /var/lib/postgresql/data/pgdata ] && mkdir -m 0700 /var/lib/postgresql/data/pgdata && mv /var/lib/postgresql/data/* /var/lib/postgresql/data/pgdata/ || true"] {{- if .Values.database.internal.initContainer.migrator.resources }} @@ -65,6 +68,9 @@ spec: - name: "data-permissions-ensurer" image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} command: ["/bin/sh"] args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"] {{- if .Values.database.internal.initContainer.permissions.resources }} @@ -79,6 +85,9 @@ spec: - name: database image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} livenessProbe: exec: command: diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml index 2f23a270d..4428b73be 100644 --- a/templates/exporter/exporter-dpl.yaml +++ b/templates/exporter/exporter-dpl.yaml @@ -99,6 +99,9 @@ spec: env: {{- toYaml . | nindent 10 }} {{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} ports: - containerPort: {{ .Values.metrics.exporter.port }} volumeMounts: diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml index e39e77e6e..45b7f8b41 100644 --- a/templates/jobservice/jobservice-dpl.yaml +++ b/templates/jobservice/jobservice-dpl.yaml @@ -116,6 +116,9 @@ spec: {{- with .Values.jobservice.extraEnvVars }} {{- toYaml . | nindent 10 }} {{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} envFrom: - configMapRef: name: "{{ template "harbor.jobservice" . }}-env" diff --git a/templates/nginx/deployment.yaml b/templates/nginx/deployment.yaml index 1ccdf7929..9b87e5928 100644 --- a/templates/nginx/deployment.yaml +++ b/templates/nginx/deployment.yaml @@ -87,6 +87,9 @@ spec: env: {{- toYaml . | nindent 10 }} {{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} ports: - containerPort: 8080 {{- if .Values.expose.tls.enabled }} diff --git a/templates/portal/deployment.yaml b/templates/portal/deployment.yaml index 959a3fd7b..fdabf59be 100644 --- a/templates/portal/deployment.yaml +++ b/templates/portal/deployment.yaml @@ -64,6 +64,9 @@ spec: env: {{- toYaml . | nindent 10 }} {{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} livenessProbe: httpGet: path: / diff --git a/templates/redis/statefulset.yaml b/templates/redis/statefulset.yaml index 371b0fd5a..0868d6a74 100644 --- a/templates/redis/statefulset.yaml +++ b/templates/redis/statefulset.yaml @@ -43,6 +43,9 @@ spec: - name: redis image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} livenessProbe: tcpSocket: port: 6379 diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index 3411de649..9894e916a 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -86,6 +86,9 @@ spec: resources: {{ toYaml .Values.registry.registry.resources | indent 10 }} {{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} args: ["serve", "/etc/registry/config.yml"] envFrom: - secretRef: @@ -222,6 +225,9 @@ spec: resources: {{ toYaml .Values.registry.controller.resources | indent 10 }} {{- end }} + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} envFrom: - configMapRef: name: "{{ template "harbor.registryCtl" . }}" diff --git a/templates/trivy/trivy-sts.yaml b/templates/trivy/trivy-sts.yaml index aba23c9e8..36c7543e3 100644 --- a/templates/trivy/trivy-sts.yaml +++ b/templates/trivy/trivy-sts.yaml @@ -58,9 +58,9 @@ spec: - name: trivy image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} - securityContext: - privileged: false - allowPrivilegeEscalation: false + {{- if not (empty .Values.containerSecurityContext) }} + securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} env: {{- if has "trivy" .Values.proxy.components }} - name: HTTP_PROXY diff --git a/values.yaml b/values.yaml index 3c4e87081..103e9e527 100644 --- a/values.yaml +++ b/values.yaml @@ -457,6 +457,19 @@ cache: # default keep cache for one day. expireHours: 24 +## set Container Security Context to comply with PSP restricted policy if necessary +## each of the conatiner will apply the same security context +## containerSecurityContext:{} is initially an empty yaml that you could edit it on demand, we just filled with a common template for convenience +containerSecurityContext: + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + capabilities: + drop: + - ALL + # If service exposed via "ingress", the Nginx will not be used nginx: image: