From d71ffe4bd9127451dd0d060204116642180d458a Mon Sep 17 00:00:00 2001 From: Allen Conlon Date: Tue, 2 Jan 2024 18:30:50 -0500 Subject: [PATCH 1/2] Added Security context for charts that where missing them --- autocert/Chart.yaml | 2 +- autocert/templates/autocert.yaml | 7 ++++--- autocert/values.yaml | 8 ++++++++ step-issuer/Chart.yaml | 4 ++-- step-issuer/charts/crds/Chart.yaml | 2 +- step-issuer/templates/deployment.yaml | 6 ++++++ step-issuer/values.yaml | 19 ++++++++++++++++++- 7 files changed, 40 insertions(+), 8 deletions(-) diff --git a/autocert/Chart.yaml b/autocert/Chart.yaml index 57ff937..62bfbde 100644 --- a/autocert/Chart.yaml +++ b/autocert/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: autocert -version: 1.18.0 +version: 1.18.1 appVersion: 0.18.0 description: A kubernetes add-on that automatically injects TLS/HTTPS certificates into your containers. keywords: diff --git a/autocert/templates/autocert.yaml b/autocert/templates/autocert.yaml index bf30d5a..bbe969d 100644 --- a/autocert/templates/autocert.yaml +++ b/autocert/templates/autocert.yaml @@ -29,6 +29,8 @@ spec: imagePullPolicy: {{ .Values.autocert.image.pullPolicy }} resources: {{- toYaml .Values.autocert.resources | nindent 10 }} + securityContext: + {{- toYaml .Values.autocert.securityContext | nindent 10 }} env: - name: PROVISIONER_NAME value: {{ .Values.ca.provisioner.name | default "admin" }} @@ -47,9 +49,6 @@ spec: - name: autocert-config mountPath: /home/step/autocert readOnly: true - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: false livenessProbe: initialDelaySeconds: 5 httpGet: @@ -87,3 +86,5 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} diff --git a/autocert/values.yaml b/autocert/values.yaml index 8bed4ee..04887e0 100644 --- a/autocert/values.yaml +++ b/autocert/values.yaml @@ -15,6 +15,10 @@ service: port: 443 targetPort: 4443 +# Security Context for the pod +podSecurityContext: {} + # fsGroup: 2000 + # autocert contains the configuration for autocert. autocert: # image contains the docker image for step-certificates. @@ -42,6 +46,10 @@ autocert: tolerations: [] # affinity contains the affinity settings for pod assignment. affinity: {} + # security context for container + securityContext: + runAsUser: 1000 + allowPrivilegeEscalation: false # bootstrapper contains the autocert-bootstrapper image and configuration. bootstrapper: diff --git a/step-issuer/Chart.yaml b/step-issuer/Chart.yaml index d777a02..620fb2a 100644 --- a/step-issuer/Chart.yaml +++ b/step-issuer/Chart.yaml @@ -1,14 +1,14 @@ apiVersion: v2 name: step-issuer type: application -version: 0.8.0+1 +version: 0.8.0+2 appVersion: 0.8.0 description: Step-issuer helm chart for kubernetes. home: https://smallstep.com dependencies: - name: crds condition: crds.enabled - version: 0.8.0+1 + version: 0.8.0+2 keywords: - authority - ca diff --git a/step-issuer/charts/crds/Chart.yaml b/step-issuer/charts/crds/Chart.yaml index af893d1..2c04a94 100644 --- a/step-issuer/charts/crds/Chart.yaml +++ b/step-issuer/charts/crds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: crds type: application -version: 0.8.0+1 +version: 0.8.0+2 appVersion: 0.8.0 description: Step-issuer CRDs home: https://smallstep.com diff --git a/step-issuer/templates/deployment.yaml b/step-issuer/templates/deployment.yaml index 22a9426..2f9cf08 100644 --- a/step-issuer/templates/deployment.yaml +++ b/step-issuer/templates/deployment.yaml @@ -35,6 +35,8 @@ spec: ports: - containerPort: {{ .Values.service.port }} name: {{ .Values.service.targetPorts }} + securityContext: + {{- toYaml .Values.kubeRBACproxy.securityContext | nindent 10 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} name: manager @@ -48,6 +50,8 @@ spec: {{- end }} ] command: ["/manager"] + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} {{- if .Values.tunnel.enabled }} env: - name: STEP_TLS_TUNNEL @@ -95,3 +99,5 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} diff --git a/step-issuer/values.yaml b/step-issuer/values.yaml index a8b1d45..06437dd 100644 --- a/step-issuer/values.yaml +++ b/step-issuer/values.yaml @@ -14,7 +14,13 @@ kubeRBACproxy: image: repository: gcr.io/kubebuilder/kube-rbac-proxy pullPolicy: IfNotPresent - tag: v0.8.0 + tag: v0.15.0 + # security context for container + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + # seccompProfile: + # type: RuntimeDefault # List of secret keys used to pull images from private registries. imagePullSecrets: [] @@ -44,6 +50,17 @@ service: scrape: true scrapePort: 8080 +# Security Context for the pod +podSecurityContext: {} + # fsGroup: 2000 + +# security context for container +securityContext: + runAsUser: 1000 + runAsGroup: 1000 + # seccompProfile: + # type: RuntimeDefault + serviceAccount: # Specifies whether a service account should be created create: false From 724fdf8dfa77c14f5af42e814d0c6d8fd99d5cb8 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Wed, 3 Jan 2024 12:17:05 -0800 Subject: [PATCH 2/2] Keep helm version on sync with app version --- autocert/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autocert/Chart.yaml b/autocert/Chart.yaml index 62bfbde..85e6b98 100644 --- a/autocert/Chart.yaml +++ b/autocert/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: autocert -version: 1.18.1 +version: 1.18.0+1 appVersion: 0.18.0 description: A kubernetes add-on that automatically injects TLS/HTTPS certificates into your containers. keywords: