Moved K8s to base and Upgraded Bamboo #43

saidsef · 2023-08-24T17:34:52Z

Moved Bamboo kubernetes deployment to base directory this will standardise deployments
Moved kubernetes kustomizer resource to point to base directory
Upgraded Bamboo to version 9.2.4 LTS
Moved Kubernetes files to base

…rdise deployments

saidsef · 2023-08-25T11:44:42Z

Due to K8s deployment readOnlyRootFilesystem being set to true during startup it throws error as logs can no longer be written to disk.

To resolve this, either move the logs to ephemeral storage path - logs path /opt/atlassian-bamboo-9.2.4/logs/ - or better yet push the logs to stdout

This best practice applys the securityContext to all container in the deployment and reduces code duplications Updated Kubernetes deployment spec set readOnlyRootFilesystem and increased initialDelaySeconds Added apk package curl for internal use, updated folder path name by making it consistent moved Bamboo logs to ephemeral storage U[dated Kubernetes deployment manifest to include resources - this is to define resource specs, and added JAVA min max and opts from system resource foo

…eServiceLinks This improves our security posture

saidsef · 2023-08-26T12:53:42Z

🤖

Review Summary

The PR contains several changes related to the Bamboo Kubernetes deployment and Dockerfile. The changes are generally well-structured and follow good practices. However, there are a few areas that could be improved or need attention.

Dockerfile

The Dockerfile has been updated to use a slim version of OpenJDK 11. This is a good practice as it reduces the image size. However, it's important to ensure that all dependencies required by Bamboo are still met with this base image.
The Dockerfile now includes the installation of procps, wget, and curl. It's good to see that the Dockerfile is being kept up-to-date with necessary dependencies. However, it's important to ensure that these tools are actually required for the operation of the Bamboo server. If they are not, they should be removed to keep the image as small and secure as possible.
The Dockerfile now includes a step to remove the APT lists after installing packages. This is a good practice as it reduces the image size.
The Dockerfile now includes a step to remove unnecessary packages after installing Bamboo. This is a good practice as it reduces the image size.
The Dockerfile now includes a step to change the ownership of the Bamboo directory to the nobody user. This is a good practice as it reduces the potential for privilege escalation attacks.

Kubernetes Deployment

The Kubernetes deployment now includes a security context at the pod level. This is a good practice as it applies security settings to all containers in the pod.
The Kubernetes deployment now includes resource limits for the Bamboo container. This is a good practice as it prevents the container from consuming excessive resources.
The Kubernetes deployment now includes several new volume mounts. It's important to ensure that these mounts are necessary and that they do not expose sensitive data.
The Kubernetes deployment now disables the automatic mounting of the service account token and service links. This is a good practice as it reduces the potential for privilege escalation attacks.
The Kubernetes deployment now includes a readiness probe with an initial delay of 10 seconds. This may be too short for the Bamboo server to start up, especially if it needs to perform initial setup tasks. Consider increasing this delay to a more conservative value.
The Kubernetes deployment now includes a liveness probe with an initial delay of 10 seconds. This may be too short for the Bamboo server to start up, especially if it needs to perform initial setup tasks. Consider increasing this delay to a more conservative value.

Suggestions

Dockerfile: Consider verifying whether procps, wget, and curl are necessary for the operation of the Bamboo server. If they are not, remove them from the Dockerfile.
Kubernetes Deployment: Consider increasing the initial delay for the readiness and liveness probes to a more conservative value.
Kubernetes Deployment: Consider verifying whether the new volume mounts are necessary and whether they expose sensitive data.

Example Code

# Dockerfile
FROM docker.io/openjdk:11-slim

# Only install necessary dependencies
RUN apt-get update && \
    apt-get upgrade -y && \
    apt-get install -yq wget && \
    rm -rf /var/lib/apt/lists/* && \
    apt-get autoremove -y

# Kubernetes Deployment
spec:
  template:
    spec:
      containers:
      - name: bamboo
        readinessProbe:
          initialDelaySeconds: 30
        livenessProbe:
          initialDelaySeconds: 30

Overall, the PR is well-structured and follows good practices. With a few minor adjustments, it should be ready for merging.

_{_{> gpt-4}}

saidsef added 4 commits August 24, 2023 18:32

Moved Bamboo kubernetes deployment to base directory this will standa…

865ad5a

…rdise deployments

Moved kubernetes kustomizer resource to point to base directory

a093cbe

Upgraded Bamboo to version 9.2.4 LTS

ad7d6ba

MOved Kubernetes files to base

05ca9da

saidsef added enhancement security security updates labels Aug 24, 2023

github-actions bot previously approved these changes Aug 24, 2023

View reviewed changes

saidsef added preview preview and removed preview preview labels Aug 24, 2023

Updated docker file to include opencontainers description

527f299

saidsef dismissed github-actions[bot]’s stale review via 2bf2668 August 25, 2023 09:31