From c5be9817ee41138cab3034bcbff6a80db82df5a8 Mon Sep 17 00:00:00 2001 From: Piotr Pawlowski Date: Sun, 28 Jan 2024 19:03:17 +0100 Subject: [PATCH 1/3] Add container security context for core application, broker, and file storage containers --- helm/flowforge/README.md | 3 +++ helm/flowforge/templates/broker.yaml | 4 +--- helm/flowforge/templates/deployment.yaml | 6 ++---- helm/flowforge/templates/file-storage.yml | 4 +--- helm/flowforge/values.schema.json | 9 +++++++++ helm/flowforge/values.yaml | 7 +++++++ 6 files changed, 23 insertions(+), 10 deletions(-) diff --git a/helm/flowforge/README.md b/helm/flowforge/README.md index 31678e5d..943f18a1 100644 --- a/helm/flowforge/README.md +++ b/helm/flowforge/README.md @@ -45,6 +45,7 @@ If using an external PostgreSQL Database you will need to create the database an - `forge.clusterRole.name` custom name for the ClusterRole (default `create-pod`) - `forge.resources` allows to configure [resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the core application container - `forge.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the core application pod + - `forge.containerSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the core application container note: `forge.projectSelector` and `forge.managementSelector` defaults mean that you must have at least 2 nodes in your cluster and they need to be labeled before installing. @@ -80,6 +81,7 @@ To use STMP to send email - `forge.broker.affinity` allows to configure [affinity or anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) for the broker pod - `forge.broker.resources` allows to configure [resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the broker container - `forge.broker.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the broker pod + - `forge.broker.containerSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the broker container ### Telemetry @@ -129,6 +131,7 @@ Enables FlowForge Telemetry - `forge.fileStore.context.quota` Sets the maximum number of bytes that a project can store in Persistent Context (default `1048576`) - `forge.fileStore.resources` allows to configure [resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the file-server container - `forge.fileStore.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the flowforge-file pod +- `forge.fileStore.containerSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the flowforge-file container ### Private Certificate Authority diff --git a/helm/flowforge/templates/broker.yaml b/helm/flowforge/templates/broker.yaml index 2ad08ff8..666bbaed 100644 --- a/helm/flowforge/templates/broker.yaml +++ b/helm/flowforge/templates/broker.yaml @@ -75,9 +75,7 @@ spec: name: mqtt-native - containerPort: 1884 name: mqtt-ws - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true + securityContext: {{- toYaml .Values.forge.broker.containerSecurityContext | nindent 10 }} # livenessProbe: # httpGet: # path: /ping.html diff --git a/helm/flowforge/templates/deployment.yaml b/helm/flowforge/templates/deployment.yaml index 241e12a8..ababa095 100644 --- a/helm/flowforge/templates/deployment.yaml +++ b/helm/flowforge/templates/deployment.yaml @@ -71,13 +71,11 @@ spec: readOnly: true {{- end }} ports: - - containerPort: 3000 - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true + - containerPort: 3000 {{- if .Values.forge.resources }} resources: {{- toYaml .Values.forge.resources | nindent 12 }} {{- end }} + securityContext: {{- toYaml .Values.forge.containerSecurityContext | nindent 10 }} {{- if .Values.forge.registrySecrets }} imagePullSecrets: {{- range .Values.forge.registrySecrets }} diff --git a/helm/flowforge/templates/file-storage.yml b/helm/flowforge/templates/file-storage.yml index 3be75ede..1ae4e62e 100644 --- a/helm/flowforge/templates/file-storage.yml +++ b/helm/flowforge/templates/file-storage.yml @@ -78,9 +78,7 @@ spec: {{ end -}} ports: - containerPort: 3001 - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true + securityContext: {{- toYaml .Values.forge.broker.containerSecurityContext | nindent 10 }} {{- if .Values.forge.fileStore.resources }} resources: {{- toYaml .Values.forge.fileStore.resources | nindent 12 }} {{- end }} diff --git a/helm/flowforge/values.schema.json b/helm/flowforge/values.schema.json index 47ade067..637293ee 100644 --- a/helm/flowforge/values.schema.json +++ b/helm/flowforge/values.schema.json @@ -270,6 +270,9 @@ } } } + }, + "containerSecurityContext": { + "type": "object" } }, "required": [ @@ -397,6 +400,9 @@ } } } + }, + "containerSecurityContext": { + "type": "object" } }, "required": [ @@ -539,6 +545,9 @@ } } } + }, + "containerSecurityContext": { + "type": "object" } }, diff --git a/helm/flowforge/values.yaml b/helm/flowforge/values.yaml index edf0602b..4d94564a 100644 --- a/helm/flowforge/values.yaml +++ b/helm/flowforge/values.yaml @@ -27,6 +27,9 @@ forge: fsGroup: 1000 seccompProfile: type: RuntimeDefault + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true fileStore: enabled: false type: localfs @@ -74,6 +77,10 @@ forge: seccompProfile: type: RuntimeDefault + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + postgresql: auth: postgresPassword: Moomiet0 From c354a23a9b25ecd3754995c975304a6ebf61360e Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Wed, 31 Jan 2024 10:48:10 +0100 Subject: [PATCH 2/3] Update security context for file storage container --- helm/flowforge/templates/file-storage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/flowforge/templates/file-storage.yml b/helm/flowforge/templates/file-storage.yml index 1ae4e62e..98195ed1 100644 --- a/helm/flowforge/templates/file-storage.yml +++ b/helm/flowforge/templates/file-storage.yml @@ -78,7 +78,7 @@ spec: {{ end -}} ports: - containerPort: 3001 - securityContext: {{- toYaml .Values.forge.broker.containerSecurityContext | nindent 10 }} + securityContext: {{- toYaml .Values.forge.fileStore.containerSecurityContext | nindent 10 }} {{- if .Values.forge.fileStore.resources }} resources: {{- toYaml .Values.forge.fileStore.resources | nindent 12 }} {{- end }} From 06417003527b32adc53fdf9470b6b7f60a3cb028 Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Wed, 31 Jan 2024 10:49:54 +0100 Subject: [PATCH 3/3] Add missing containerSecurityContext vakues for fileStore --- helm/flowforge/values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/helm/flowforge/values.yaml b/helm/flowforge/values.yaml index 4d94564a..1c79968d 100644 --- a/helm/flowforge/values.yaml +++ b/helm/flowforge/values.yaml @@ -51,6 +51,9 @@ forge: fsGroup: 1000 seccompProfile: type: RuntimeDefault + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true support: enabled: false