From 75a0fa9b61e5d6b8fa5a53a771ab216f6cd126ed Mon Sep 17 00:00:00 2001 From: chgl Date: Wed, 18 Dec 2024 21:10:26 +0100 Subject: [PATCH] fix: pod-level security context for datashield and blaze (#432) * fix: pod-level security context for datashield and blaze * docs update --- charts/blaze/Chart.yaml | 4 ++-- charts/blaze/README.md | 2 +- charts/blaze/values.yaml | 4 ++-- charts/datashield/Chart.yaml | 6 +++--- charts/datashield/README.md | 4 ++-- charts/datashield/values.yaml | 6 ++++-- 6 files changed, 14 insertions(+), 12 deletions(-) diff --git a/charts/blaze/Chart.yaml b/charts/blaze/Chart.yaml index f681ffa4..c006ef88 100644 --- a/charts/blaze/Chart.yaml +++ b/charts/blaze/Chart.yaml @@ -16,7 +16,7 @@ dependencies: version: 2.28.0 deprecated: false kubeVersion: ">= 1.19.0" -version: 0.5.39 +version: 0.5.40 appVersion: "0.x" annotations: artifacthub.io/license: Apache-2.0 @@ -31,4 +31,4 @@ annotations: # When using the list of objects option the valid supported kinds are # added, changed, deprecated, removed, fixed and security. - kind: changed - description: "Updated common to 2.28.0" + description: "Set default pod-level security context" diff --git a/charts/blaze/README.md b/charts/blaze/README.md index 2fc75302..7c8f5b1f 100644 --- a/charts/blaze/README.md +++ b/charts/blaze/README.md @@ -53,7 +53,7 @@ helm install blaze oci://ghcr.io/miracum/charts/blaze -n blaze | persistence.size | string | `"8Gi"` | PVC Storage Request for volume | | persistence.storageClass | string | `""` | PVC Storage Class for data volume If defined, storageClassName: If set to "-", storageClassName: "", which disables dynamic provisioning If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. | | podAnnotations | object | `{}` | annotations to set on the main deployment's pod | -| podSecurityContext | object | `{}` | the pod security context | +| podSecurityContext | object | `{"fsGroup":1001,"runAsNonRoot":true}` | the pod security context | | replicaCount | int | `1` | number of replicas. ⚠️ Blaze does not support running with multiple replicas. | | resources | object | `{}` | configure the resource requests and limits | | resourcesPreset | string | `"medium"` | set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). More information: | diff --git a/charts/blaze/values.yaml b/charts/blaze/values.yaml index 2a4254d9..0d473a41 100644 --- a/charts/blaze/values.yaml +++ b/charts/blaze/values.yaml @@ -57,8 +57,8 @@ podAnnotations: {} # -- the pod security context podSecurityContext: - {} - # fsGroup: 2000 + runAsNonRoot: true + fsGroup: 1001 # @ignored securityContext: diff --git a/charts/datashield/Chart.yaml b/charts/datashield/Chart.yaml index 095036b0..e260989e 100644 --- a/charts/datashield/Chart.yaml +++ b/charts/datashield/Chart.yaml @@ -23,7 +23,7 @@ dependencies: version: 2.28.0 deprecated: false kubeVersion: ">= 1.19.0" -version: 0.7.51 +version: 0.7.52 annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/containsSecurityUpdates: "false" @@ -36,5 +36,5 @@ annotations: artifacthub.io/changes: |- # When using the list of objects option the valid supported kinds are # added, changed, deprecated, removed, fixed and security. - - kind: changed - description: "Updated docker.io/bitnami/postgresql to 17.2.0-debian-12-r3" + - kind: fixed + description: "corrected fsGroup in opal pod-level security context" diff --git a/charts/datashield/README.md b/charts/datashield/README.md index 818bbcdd..20080656 100644 --- a/charts/datashield/README.md +++ b/charts/datashield/README.md @@ -59,7 +59,7 @@ helm install --create-namespace -n datashield datashield oci://ghcr.io/miracum/c | opal.persistence.size | string | `"8Gi"` | PVC Storage Request for volume | | opal.persistence.storageClass | string | `""` | PVC Storage Class for data volume If defined, storageClassName: If set to "-", storageClassName: "", which disables dynamic provisioning If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. | | opal.podAnnotations | object | `{}` | annotations to set on the opal pod | -| opal.podSecurityContext | object | `{"fsGroup":100}` | the pod security context | +| opal.podSecurityContext | object | `{"fsGroup":10041,"runAsNonRoot":true}` | the pod security context | | opal.replicaCount | int | `1` | number of replicas. Should be kept as 1 unless ReadWriteMany persistence is used | | opal.resources | object | `{}` | resource limits and requests | | opal.resourcesPreset | string | `"small"` | set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). More information: | @@ -97,7 +97,7 @@ helm install --create-namespace -n datashield datashield oci://ghcr.io/miracum/c | rock.persistence.selector | object | `{}` | selector to match an existing Persistent Volume (this value is evaluated as a template) selector: matchLabels: app: my-app | | rock.persistence.size | string | `"8Gi"` | PVC Storage Request for volume | | rock.persistence.storageClass | string | `""` | PVC Storage Class for data volume If defined, storageClassName: If set to "-", storageClassName: "", which disables dynamic provisioning If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. | -| rock.podSecurityContext | object | `{"fsGroup":101}` | pod security context | +| rock.podSecurityContext | object | `{"fsGroup":65534,"runAsNonRoot":true}` | pod security context | | rock.replicaCount | int | `1` | number of rock instances in the cluster | | rock.resources | object | `{}` | resource limits and requests | | rock.resourcesPreset | string | `"small"` | set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). More information: | diff --git a/charts/datashield/values.yaml b/charts/datashield/values.yaml index def6bfa0..30f8ff63 100644 --- a/charts/datashield/values.yaml +++ b/charts/datashield/values.yaml @@ -120,7 +120,8 @@ opal: # -- the pod security context podSecurityContext: - fsGroup: 100 + runAsNonRoot: true + fsGroup: 10041 # @ignored securityContext: @@ -348,7 +349,8 @@ rock: # -- pod security context podSecurityContext: - fsGroup: 101 + runAsNonRoot: true + fsGroup: 65534 # -- pod node selector nodeSelector: {}