chore: add and complete pod security context

Signed-off-by: SdgJlbl <[email protected]>

charts/substra-backend/CHANGELOG.md

@@ -1,12 +1,23 @@
 # Changelog
 
 <!-- towncrier release notes start -->
+
+## [26.6.5] - 2024-05-27
+
+### Added
+
+- Pod and container security contexts (#895)
+
+### Changed
+
+- Updated bitnami charts to their latest version (#895)
+
 ## [26.6.4] - 2024-05-27
 
 ### Fixed
 
 - whitespace removal removed newline in `networkpolicy-orchestrator-client.yaml` (#914)
-  
+
 ## [26.6.3] - 2024-05-27
 
 ### Changed
@@ -19,7 +30,7 @@
 
 - Allow all ingress on server pod (#912)
 - Add a variable (`orchestrator.sameCluster`) to allow more communication between backend and orchestrator (#912)
-  
+
 ## [26.6.1] - 2024-05-23
 
 ### Fix

charts/substra-backend/Chart.lock

@@ -1,21 +1,21 @@
 dependencies:
 - name: redis
   repository: https://charts.bitnami.com/bitnami
-  version: 18.17.0
+  version: 19.5.0
 - name: common
   repository: https://charts.bitnami.com/bitnami
   version: 2.16.1
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
-  version: 13.1.2
+  version: 15.4.1
 - name: docker-registry
   repository: https://helm.twun.io
-  version: 2.2.2
+  version: 2.2.3
 - name: minio
   repository: https://charts.bitnami.com/bitnami
-  version: 12.8.12
+  version: 14.6.1
 - name: localstack
   repository: https://localstack.github.io/helm-charts
   version: 0.6.9
-digest: sha256:42c8f0dba9b2ab0b04533af995c5fb55fdb424fec68f9ce93ff697d861e84ac6
-generated: "2024-03-01T14:53:20.819977+01:00"
+digest: sha256:741c436098dd91e19b57ab423a3cf6befff017c76914af997c74b2c236064534
+generated: "2024-05-28T11:12:51.479028+02:00"

charts/substra-backend/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: substra-backend
 home: https://github.com/Substra
-version: 26.6.4
+version: 26.6.5
 appVersion: 0.45.0
 kubeVersion: ">= 1.19.0-0"
 description: Main package for Substra
@@ -16,22 +16,22 @@ dependencies:
   - name: redis
     repository: https://charts.bitnami.com/bitnami
     condition: redis.enabled
-    version: 18.17.0
+    version: 19.5.0
   - name: common
     repository: https://charts.bitnami.com/bitnami
     condition: redis.enabled,postgresql.enabled,minio.enabled
     version: 2.16.1
   - name: postgresql
     repository: https://charts.bitnami.com/bitnami
-    version: 13.1.2
+    version: 15.4.1
     condition: postgresql.enabled
   - name: docker-registry
     repository: https://helm.twun.io
-    version: 2.2.2
+    version: 2.2.3
     condition: docker-registry.enabled
   - name: minio
     repository: https://charts.bitnami.com/bitnami
-    version: 12.8.12
+    version: 14.6.1
     condition: minio.enabled
   - name: localstack
     repository: https://localstack.github.io/helm-charts

charts/substra-backend/README.md

@@ -7,6 +7,14 @@ Substra Backend is a component of [Substra](https://github.com/SubstraFoundation
 - Kubernetes 1.19+
 - If you want to enable GPU support, install the nvidia device plugin for kubernetes: https://github.com/NVIDIA/k8s-device-plugin or https://github.com/NVIDIA/gpu-operator
 
+## Upgrading dependencies
+
+If you make changes to the versions of the external charts defined in `Chart.yaml`, you need to update the `Chart.lock` file by running:
+
+```bash
+helm dependency update
+```
+
 ## Changelog
 
 See [CHANGELOG.md](https://github.com/Substra/substra-backend/blob/main/charts/substra-backend/CHANGELOG.md)
@@ -192,7 +200,7 @@ See [UPGRADE.md](https://github.com/Substra/substra-backend/blob/main/charts/sub
 | ----------------------------------------- | ------------------------------------------------------------------ | ------------------------- |
 | `scheduler.enabled`                       | Enable scheduler service                                           | `true`                    |
 | `scheduler.replicaCount`                  | Replica count for the scheduler server                             | `1`                       |
-| `scheduler.image.registry`                | Subsra backend tasks scheduler image registry                      | `ghcr.io`                 |
+| `scheduler.image.registry`                | Substra backend tasks scheduler image registry                     | `ghcr.io`                 |
 | `scheduler.image.repository`              | Substra backend tasks scheduler image repository                   | `substra/substra-backend` |
 | `scheduler.image.tag`                     | Substra backend tasks scheduler image tag (defaults to AppVersion) | `nil`                     |
 | `scheduler.image.pullPolicy`              | Substra backend task scheduler image pull policy                   | `IfNotPresent`            |

charts/substra-backend/templates/_helpers.tpl

@@ -243,6 +243,13 @@ The hostname we should connect to (external is defined, otherwise integrated)
 {{- if or .Values.minio.enabled .Values.localstack.enabled }}
 - name: wait-minio
   image: jwilder/dockerize:0.6.1
+  securityContext:
+      allowPrivilegeEscalation: false
+      runAsNonRoot: true
+      seccompProfile:
+        type: RuntimeDefault
+      capabilities:
+        drop: ["ALL"]
   command: ['dockerize', '-wait', 'tcp://{{ template "substra-backend.objectStore.url" .}}', '-timeout', '15s']
 {{- end }}
 {{- end -}}
@@ -254,6 +261,13 @@ The hostname we should connect to (external is defined, otherwise integrated)
 {{- define "common.waitPostgresqlInitContainer" -}}
 - name: wait-postgresql
   image: postgres
+  securityContext:
+      allowPrivilegeEscalation: false
+      runAsNonRoot: true
+      seccompProfile:
+        type: RuntimeDefault
+      capabilities:
+        drop: ["ALL"]
   env:
    - name: PGUSER
      value: {{ .Values.database.auth.username }}
@@ -274,6 +288,7 @@ The hostname we should connect to (external is defined, otherwise integrated)
   imagePullPolicy: {{ .Values.privateCa.image.pullPolicy }}
   securityContext:
     runAsUser: 0
+    runAsNonRoot: false
   command: ['sh', '-c']
   args:
   - |
@@ -296,6 +311,13 @@ The hostname we should connect to (external is defined, otherwise integrated)
 {{- define "common.waitInitMigrationsInitContainer" -}}
 - name: wait-init-migrations
   image: {{ include "substra-backend.images.name" (dict "img" .Values.worker.events.image "defaultTag" $.Chart.AppVersion) }}
+  securityContext:
+      allowPrivilegeEscalation: false
+      runAsNonRoot: true
+      seccompProfile:
+        type: RuntimeDefault
+      capabilities:
+        drop: ["ALL"]
   command: ['bash', '/usr/src/app/wait-init-migration.sh']
   volumeMounts:
   - name: volume-wait-init-migrations
@@ -385,4 +407,4 @@ Retrieve AWS environment variable value
   {{- end -}}
 {{- end -}}
 {{- $value -}}
-{{- end -}}
+{{- end -}}

charts/substra-backend/templates/deployment-api-events.yaml

@@ -35,6 +35,9 @@ spec:
       {{- end }}
       {{- if .Values.api.events.podSecurityContext.enabled }}
       securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
         fsGroup: {{ .Values.api.events.podSecurityContext.fsGroup }}
         runAsUser: {{ .Values.api.events.podSecurityContext.runAsUser }}
         runAsGroup: {{ .Values.api.events.podSecurityContext.runAsGroup }}
@@ -46,6 +49,13 @@ spec:
           imagePullPolicy: {{ .Values.api.events.image.pullPolicy }}
           resources:
             {{- toYaml .Values.api.events.resources | nindent 12 }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop: ["ALL"]
           command: ["/bin/bash"]
           {{- if eq .Values.settings "prod" }}
           args: ["-c", "python manage.py consume"]

charts/substra-backend/templates/deployment-registry-prepopulate.yaml

@@ -23,13 +23,27 @@ spec:
         role-internet-egress: 'true'
     spec:
       initContainers:
-      - name: wait-registry 
+      - name: wait-registry
         image: jwilder/dockerize:0.6.1
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: false
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop: ["ALL"]
         resources:
           {{- toYaml $.Values.registryPrepopulate.waitRegistry.resources | nindent 12 }}
         command: ['dockerize', '-wait', 'tcp://{{ $.Release.Name }}-docker-registry:5000']
       - name: kaniko
         image: {{ include "common.images.name" $.Values.kaniko.image }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: false
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop: ["ALL"]
         resources:
           {{- toYaml $.Values.kaniko.resources | nindent 12 }}
         args:
@@ -56,6 +70,13 @@ spec:
         name: pause
         resources:
           {{- toYaml $.Values.registryPrepopulate.pause.resources | nindent 12 }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: false
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop: ["ALL"]
       volumes:
       - name: kaniko-dir
         emptyDir: {}

charts/substra-backend/templates/deployment-scheduler-worker.yaml

@@ -33,6 +33,9 @@ spec:
     spec:
       {{- if .Values.schedulerWorker.podSecurityContext.enabled }}
       securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
         fsGroup: {{ .Values.schedulerWorker.podSecurityContext.fsGroup }}
         runAsUser: {{ .Values.schedulerWorker.podSecurityContext.runAsUser }}
         runAsGroup: {{ .Values.schedulerWorker.podSecurityContext.runAsGroup }}
@@ -48,6 +51,13 @@ spec:
         - name: scheduler-worker
           image: {{ include "substra-backend.images.name" (dict "img" .Values.schedulerWorker.image "defaultTag" $.Chart.AppVersion) }}
           imagePullPolicy: {{ .Values.schedulerWorker.image.pullPolicy }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop: ["ALL"]
           command: ["/bin/bash"]
           args: ["-c", "celery -A backend worker -l info -n {{ .Values.organizationName }} -Q {{ .Values.organizationName }},scheduler,celery --hostname {{ .Values.organizationName }}.scheduler"]
           envFrom:

charts/substra-backend/templates/deployment-scheduler.yaml

@@ -37,6 +37,9 @@ spec:
       {{- end }}
       {{- if .Values.scheduler.podSecurityContext.enabled }}
       securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
         fsGroup: {{ .Values.scheduler.podSecurityContext.fsGroup }}
         runAsGroup: {{ .Values.scheduler.podSecurityContext.runAsGroup }}
         runAsUser: {{ .Values.scheduler.podSecurityContext.runAsUser }}
@@ -45,6 +48,13 @@ spec:
         - name: scheduler
           image: {{ include "substra-backend.images.name" (dict "img" .Values.scheduler.image "defaultTag" $.Chart.AppVersion) }}
           imagePullPolicy: {{ .Values.scheduler.image.pullPolicy }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop: ["ALL"]
           command: ["/bin/bash"]
           args: ["-c", "celery -A backend beat -l debug --schedule /var/substra/runtime-db/celerybeat-scheduler"]
           envFrom:

charts/substra-backend/templates/deployment-server.yaml

@@ -36,6 +36,9 @@ spec:
     spec:
       {{- if .Values.server.podSecurityContext.enabled }}
       securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
         fsGroup: {{ .Values.server.podSecurityContext.fsGroup }}
         runAsUser: {{ .Values.server.podSecurityContext.runAsUser }}
         runAsGroup: {{ .Values.server.podSecurityContext.runAsGroup }}
@@ -47,6 +50,13 @@ spec:
       containers:
       - name: server
         image: {{ include "substra-backend.images.name" (dict "img" .Values.server.image "defaultTag" $.Chart.AppVersion) }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop: ["ALL"]
         imagePullPolicy: "{{ .Values.server.image.pullPolicy }}"
         command: ["/bin/bash"]
         {{- if eq .Values.settings "prod" }}
@@ -153,6 +163,13 @@ spec:
       - name: metrics-sidecar
         image: {{ include "substra-backend.images.name" (dict "img" .Values.server.metrics.image "defaultTag" $.Chart.AppVersion) }}
         imagePullPolicy: {{ .Values.server.metrics.image.pullPolicy }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop: ["ALL"]
         command: ["/bin/bash"]
         args:
           - "-c"
@@ -180,6 +197,13 @@ spec:
       - name: init-collectstatic
         image: {{ include "substra-backend.images.name" (dict "img" .Values.server.image "defaultTag" $.Chart.AppVersion) }}
         command: ['python', 'manage.py', 'collectstatic', '--noinput']
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop: ["ALL"]
         envFrom:
           - configMapRef:
               name: {{ include "substra.fullname" . }}-orchestrator
@@ -195,6 +219,13 @@ spec:
       - name: init-migrate
         image: {{ include "substra-backend.images.name" (dict "img" .Values.server.image "defaultTag" $.Chart.AppVersion) }}
         command: ['python', 'manage.py', 'migrate']
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop: ["ALL"]
         envFrom:
           - configMapRef:
               name: {{ include "substra.fullname" . }}-orchestrator

charts/substra-backend/templates/deployment-worker-events.yaml

@@ -36,9 +36,13 @@ spec:
       {{- end }}
       {{- if .Values.worker.events.podSecurityContext.enabled }}
       securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
         fsGroup: {{ .Values.worker.events.podSecurityContext.fsGroup }}
         runAsUser: {{ .Values.worker.events.podSecurityContext.runAsUser }}
         runAsGroup: {{ .Values.worker.events.podSecurityContext.runAsGroup }}
+
       {{- end }}
       serviceAccountName: {{ include "substra.worker.events.serviceAccountName" . }}
       containers:
@@ -47,6 +51,13 @@ spec:
           imagePullPolicy: {{ .Values.worker.events.image.pullPolicy }}
           resources:
             {{- toYaml .Values.worker.events.resources | nindent 12 }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop: ["ALL"]
           command: ["/bin/bash"]
           {{- if eq .Values.settings "prod" }}
           args: ["-c", "python manage.py consume"]