Skip to content

Commit

Permalink
chore(seeding): add securityContext
Browse files Browse the repository at this point in the history
  • Loading branch information
@evegufy
evegufy committed Oct 14, 2024
1 parent 19eca8e commit a655139
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 2 deletions.
17 changes: 16 additions & 1 deletion charts/centralidp/templates/job-seeding.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -226,6 +226,13 @@ spec:
mountPath: "app/realms"
initContainers:

Check warning on line 227 in charts/centralidp/templates/job-seeding.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Container Running With Low UID 

Check if containers are running with low UID, which might cause conflicts with the host's user table.

Check warning on line 227 in charts/centralidp/templates/job-seeding.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Memory Limits Not Defined 

Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory

Check warning on line 227 in charts/centralidp/templates/job-seeding.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Memory Limits Not Defined 

Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory

Check warning on line 227 in charts/centralidp/templates/job-seeding.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Memory Requests Not Defined 

Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes

Check warning on line 227 in charts/centralidp/templates/job-seeding.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Memory Requests Not Defined 

Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes

Check warning on line 227 in charts/centralidp/templates/job-seeding.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Seccomp Profile Is Not Configured 

Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls

Check warning on line 227 in charts/centralidp/templates/job-seeding.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Seccomp Profile Is Not Configured 

Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls
- name: init-cx-central
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
image: {{ .Values.realmSeeding.initContainer.image.name }}
imagePullPolicy: {{ .Values.realmSeeding.initContainer.image.pullPolicy }}
command:
Expand All @@ -239,7 +246,15 @@ spec:
- name: realms
mountPath: "app/realms"
- name: wait-for-keycloak
image: appropriate/curl:latest
image: alpine/curl:latest
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000

Check warning on line 257 in charts/centralidp/templates/job-seeding.yaml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Container Running With Low UID 

Check if containers are running with low UID, which might cause conflicts with the host's user table.

Check warning

Code scanning / KICS

Container Running With Low UID Warning

metadata.name={kics-helm-keycloak-realm-seeding-1}.spec.template.spec.initContainers.name={wait-for-keycloak}.securityContext.runAsUser is set to a low UID
{{ if .Values.realmSeeding.keycloakServiceTls -}}
command: [ 'sh', '-c', 'until curl -s https://{{ template "centralidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ]
{{- else -}}
Expand Down
17 changes: 16 additions & 1 deletion charts/sharedidp/templates/job-seeding.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,13 @@ spec:
mountPath: "app/realms"
initContainers:
- name: init-cx-central
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
image: {{ .Values.realmSeeding.initContainer.image.name }}
imagePullPolicy: {{ .Values.realmSeeding.initContainer.image.pullPolicy }}
command:
Expand All @@ -205,7 +212,15 @@ spec:
- name: realms
mountPath: "app/realms"
- name: wait-for-keycloak
image: appropriate/curl:latest
image: alpine/curl:latest
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
{{ if .Values.realmSeeding.keycloakServiceTls -}}
command: [ 'sh', '-c', 'until curl -s https://{{ template "sharedidp.fullname" . }}:{{ .Values.realmSeeding.keycloakServicePort }}/auth/realms/master/.well-known/openid-configuration; do echo waiting for other pod; sleep 2; done;' ]
{{- else -}}
Expand Down

0 comments on commit a655139

Please sign in to comment.