From 5b1a425347686cccca58501a788963be49a46480 Mon Sep 17 00:00:00 2001 From: Johannes Edmeier Date: Fri, 6 Dec 2024 10:17:06 +0100 Subject: [PATCH] refa: avoid hard-coded uid in helm chart In order to improve installation on openshift, we need to avoid the hard-coded uid/gid in the helm chart --- charts/steadybit-extension-aws/Chart.yaml | 2 +- .../templates/deployment.yaml | 11 +-- .../__snapshot__/deployment_test.yaml.snap | 69 +++++++++++-------- charts/steadybit-extension-aws/values.yaml | 13 +++- 4 files changed, 55 insertions(+), 40 deletions(-) diff --git a/charts/steadybit-extension-aws/Chart.yaml b/charts/steadybit-extension-aws/Chart.yaml index cac8c2a..9dda1b5 100644 --- a/charts/steadybit-extension-aws/Chart.yaml +++ b/charts/steadybit-extension-aws/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: steadybit-extension-aws description: Steadybit AWS extension Helm chart for Kubernetes. -version: 2.1.21 +version: 2.1.22 appVersion: v2.3.5 home: https://www.steadybit.com/ icon: https://steadybit-website-assets.s3.amazonaws.com/logo-symbol-transparent.png diff --git a/charts/steadybit-extension-aws/templates/deployment.yaml b/charts/steadybit-extension-aws/templates/deployment.yaml index d4fd652..3919940 100644 --- a/charts/steadybit-extension-aws/templates/deployment.yaml +++ b/charts/steadybit-extension-aws/templates/deployment.yaml @@ -74,15 +74,10 @@ spec: httpGet: port: 8086 path: /health/readiness + {{- with .Values.containerSecurityContext }} securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 10000 - runAsGroup: 10000 - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL + {{- toYaml . | nindent 12 }} + {{- end }} env: {{- include "extensionlib.deployment.env" (list .) | nindent 12 }} {{- if .Values.aws.assumeRoles }} diff --git a/charts/steadybit-extension-aws/tests/__snapshot__/deployment_test.yaml.snap b/charts/steadybit-extension-aws/tests/__snapshot__/deployment_test.yaml.snap index e319f5f..1c75558 100644 --- a/charts/steadybit-extension-aws/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/steadybit-extension-aws/tests/__snapshot__/deployment_test.yaml.snap @@ -102,10 +102,11 @@ manifest should add aws env vars: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-aws volumes: null manifest should match snapshot using podAnnotations and Labels: @@ -184,10 +185,11 @@ manifest should match snapshot using podAnnotations and Labels: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-aws volumes: null manifest should match snapshot with TLS: @@ -268,13 +270,14 @@ manifest should match snapshot with TLS: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /etc/extension/certificates/server-cert name: certificate-server-cert readOnly: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-aws volumes: - name: certificate-server-cert @@ -362,10 +365,11 @@ manifest should match snapshot with extra env vars: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-aws volumes: null manifest should match snapshot with extra labels: @@ -444,10 +448,11 @@ manifest should match snapshot with extra labels: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-aws volumes: null manifest should match snapshot with mutual TLS: @@ -530,9 +535,6 @@ manifest should match snapshot with mutual TLS: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: - mountPath: /etc/extension/certificates/client-cert-a name: certificate-client-cert-a @@ -540,6 +542,10 @@ manifest should match snapshot with mutual TLS: - mountPath: /etc/extension/certificates/server-cert name: certificate-server-cert readOnly: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-aws volumes: - name: certificate-client-cert-a @@ -630,10 +636,11 @@ manifest should match snapshot with mutual TLS using containerPaths: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-aws volumes: null manifest should match snapshot with podSecurityContext: @@ -710,12 +717,12 @@ manifest should match snapshot with podSecurityContext: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null securityContext: + runAsNonRoot: true runAsUser: 2222 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-aws volumes: null manifest should match snapshot with priority class: @@ -792,11 +799,12 @@ manifest should match snapshot with priority class: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null priorityClassName: my-priority-class + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-aws volumes: null manifest should match snapshot without TLS: @@ -873,9 +881,10 @@ manifest should match snapshot without TLS: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 10000 - runAsNonRoot: true - runAsUser: 10000 volumeMounts: null + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-extension-aws volumes: null diff --git a/charts/steadybit-extension-aws/values.yaml b/charts/steadybit-extension-aws/values.yaml index 8cf8a8a..7aef7a1 100644 --- a/charts/steadybit-extension-aws/values.yaml +++ b/charts/steadybit-extension-aws/values.yaml @@ -148,7 +148,18 @@ affinity: {} priorityClassName: null # podSecurityContext -- SecurityContext to apply to the pod. -podSecurityContext: {} +podSecurityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + +# containerSecurityContext -- SecurityContext to apply to the container. +containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL # extraEnv -- Array with extra environment variables to add to the container # e.g: