diff --git a/charts/steadybit-agent/Chart.lock b/charts/steadybit-agent/Chart.lock index c06a3867..b79d9fc2 100644 --- a/charts/steadybit-agent/Chart.lock +++ b/charts/steadybit-agent/Chart.lock @@ -16,7 +16,7 @@ dependencies: version: 1.0.14 - name: steadybit-extension-dynatrace repository: https://steadybit.github.io/extension-dynatrace - version: 1.1.6 + version: 1.1.7 - name: steadybit-extension-gatling repository: https://steadybit.github.io/extension-gatling version: 1.1.15 @@ -61,7 +61,7 @@ dependencies: version: 1.1.6 - name: steadybit-extension-postman repository: https://steadybit.github.io/extension-postman - version: 1.7.10 + version: 1.7.11 - name: steadybit-extension-prometheus repository: https://steadybit.github.io/extension-prometheus version: 1.5.11 @@ -71,5 +71,5 @@ dependencies: - name: steadybit-extension-grafana repository: https://steadybit.github.io/extension-grafana version: 1.2.6 -digest: sha256:1ada075973b00fc3fc18eb7bc54e1240d87a49e68ae9bf86e495bfdb450ae634 -generated: "2024-12-07T06:08:31.602849838Z" +digest: sha256:1508df99b3cd7bb087dbf0d5d73a19b8462e6b351c5ca16a7545e532b3711e3f +generated: "2024-12-09T09:59:03.468184+01:00" diff --git a/charts/steadybit-agent/Chart.yaml b/charts/steadybit-agent/Chart.yaml index 35d13f1f..661f86ea 100644 --- a/charts/steadybit-agent/Chart.yaml +++ b/charts/steadybit-agent/Chart.yaml @@ -139,4 +139,4 @@ dependencies: version: ^1.1.8 repository: https://steadybit.github.io/extension-grafana alias: extension-grafana - condition: extension-grafana.enabled + condition: extension-grafana.enabled \ No newline at end of file diff --git a/charts/steadybit-agent/charts/steadybit-extension-dynatrace-1.1.7.tgz b/charts/steadybit-agent/charts/steadybit-extension-dynatrace-1.1.7.tgz new file mode 100644 index 00000000..0733d162 Binary files /dev/null and b/charts/steadybit-agent/charts/steadybit-extension-dynatrace-1.1.7.tgz differ diff --git a/charts/steadybit-agent/charts/steadybit-extension-postman-1.7.11.tgz b/charts/steadybit-agent/charts/steadybit-extension-postman-1.7.11.tgz new file mode 100644 index 00000000..ec0013f3 Binary files /dev/null and b/charts/steadybit-agent/charts/steadybit-extension-postman-1.7.11.tgz differ diff --git a/charts/steadybit-agent/templates/_podTemplate.tpl b/charts/steadybit-agent/templates/_podTemplate.tpl index f8bc6751..e6b68916 100644 --- a/charts/steadybit-agent/templates/_podTemplate.tpl +++ b/charts/steadybit-agent/templates/_podTemplate.tpl @@ -24,10 +24,9 @@ priorityClassName: {{ .Values.priorityClassName.name }} {{- end }} securityContext: - fsGroup: 1000 - runAsGroup: 1000 - runAsUser: 1000 - runAsNonRoot: true + {{- with .Values.podSecurityContext }} + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: steadybit-agent image: "{{ .Values.image.name }}:{{ default .Chart.AppVersion .Values.image.tag }}" @@ -140,11 +139,9 @@ {{- toYaml . | nindent 12 }} {{- end }} securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL + {{- with .Values.containerSecurityContext }} + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: {{- if eq .Values.agent.persistence.provider "filesystem"}} - name: steadybit-agent-state diff --git a/charts/steadybit-agent/tests/__snapshot__/deployment_test.yaml.snap b/charts/steadybit-agent/tests/__snapshot__/deployment_test.yaml.snap index 040b9e7b..9e7f33fb 100644 --- a/charts/steadybit-agent/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/steadybit-agent/tests/__snapshot__/deployment_test.yaml.snap @@ -104,10 +104,9 @@ manifest should match snapshot: - mountPath: /tmp name: tmp-dir securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -238,10 +237,9 @@ should add aws account id from values: - mountPath: /tmp name: tmp-dir securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -367,10 +365,9 @@ should add extra volumes and mount: - mountPath: /extra name: extramount securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -519,10 +516,9 @@ should add match labels: - mountPath: /tmp name: tmp-dir securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -661,10 +657,9 @@ should add proxy configuration: - mountPath: /tmp name: tmp-dir securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -794,10 +789,9 @@ should apply extra pod labels: - mountPath: /tmp name: tmp-dir securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -929,10 +923,9 @@ should render redis settings: - mountPath: /tmp name: tmp-dir securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -1075,10 +1068,9 @@ using extensions with mtls from containerpath: - mountPath: /tmp name: tmp-dir securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -1227,10 +1219,9 @@ using extensions with mtls from secrets: - mountPath: /opt/steadybit/agent/etc/extra-certs name: extra-certs securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -1365,10 +1356,9 @@ using image pull secrets with debug json log: imagePullSecrets: - name: test-pull-secret securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: diff --git a/charts/steadybit-agent/tests/__snapshot__/statefulset_auth_test.yaml.snap b/charts/steadybit-agent/tests/__snapshot__/statefulset_auth_test.yaml.snap index e25901fd..4bd44e4c 100644 --- a/charts/steadybit-agent/tests/__snapshot__/statefulset_auth_test.yaml.snap +++ b/charts/steadybit-agent/tests/__snapshot__/statefulset_auth_test.yaml.snap @@ -113,10 +113,9 @@ using oauth2 with mtls from containerPath and token uri: - mountPath: /tmp name: tmp-dir securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -261,10 +260,9 @@ using oauth2 with mtls from secrets: name: oauth2-tls-server readOnly: true securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: diff --git a/charts/steadybit-agent/tests/__snapshot__/statefulset_test.yaml.snap b/charts/steadybit-agent/tests/__snapshot__/statefulset_test.yaml.snap index 4dec1225..d410cec0 100644 --- a/charts/steadybit-agent/tests/__snapshot__/statefulset_test.yaml.snap +++ b/charts/steadybit-agent/tests/__snapshot__/statefulset_test.yaml.snap @@ -118,10 +118,9 @@ manifest should match snapshot: - mountPath: /tmp name: tmp-dir securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -260,10 +259,9 @@ should add aws account id from values: - mountPath: /tmp name: tmp-dir securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -396,10 +394,9 @@ should add extra volumes and mount: - mountPath: /extra name: extramount securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -557,10 +554,9 @@ should add match labels: - mountPath: /tmp name: tmp-dir securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -707,10 +703,9 @@ should add proxy configuration: - mountPath: /tmp name: tmp-dir securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -848,10 +843,9 @@ should apply extra pod labels: - mountPath: /tmp name: tmp-dir securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -1004,10 +998,9 @@ using extensions with mtls from containerpath: - mountPath: /tmp name: tmp-dir securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -1163,10 +1156,9 @@ using extensions with mtls from secrets: - mountPath: /opt/steadybit/agent/etc/extra-certs name: extra-certs securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: @@ -1308,10 +1300,9 @@ using image pull secrets with debug json log: imagePullSecrets: - name: test-pull-secret securityContext: - fsGroup: 1000 - runAsGroup: 1000 runAsNonRoot: true - runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccountName: steadybit-agent volumes: - emptyDir: diff --git a/charts/steadybit-agent/values.yaml b/charts/steadybit-agent/values.yaml index 83a69a8a..26097eff 100644 --- a/charts/steadybit-agent/values.yaml +++ b/charts/steadybit-agent/values.yaml @@ -225,6 +225,12 @@ podAnnotations: {} # podLabels -- Additional labels to be added to the agent pods. podLabels: {} +# podSecurityContext -- the security context used for the pod +podSecurityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + # nodeSelector -- Node labels for pod assignment nodeSelector: {} @@ -234,6 +240,14 @@ tolerations: [] # affinity -- Affinities to influence agent pod assignment. affinity: {} +# containerSecurityContext -- the security context used for the pod +containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + # extension-aws.* -- settings for the aws extension. See https://github.com/steadybit/extension-aws for more information. extension-aws: # extension-aws.enabled -- Enable the AWS extension @@ -433,4 +447,4 @@ extension-grafana: enabled: false grafana: serviceToken: null - apiBaseUrl: null + apiBaseUrl: null \ No newline at end of file