diff --git a/divingbell/templates/daemonset-apparmor.yaml b/divingbell/templates/daemonset-apparmor.yaml index a39df94..a152d9d 100644 --- a/divingbell/templates/daemonset-apparmor.yaml +++ b/divingbell/templates/daemonset-apparmor.yaml @@ -39,6 +39,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ dict "envAll" $envAll "podName" "divingbell-apparmor" "containerNames" (list "apparmor") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} hostNetwork: true hostPID: true hostIPC: true @@ -47,20 +48,21 @@ spec: image: {{ .Values.images.divingbell }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.apparmor | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }} +{{ dict "envAll" $envAll "application" "divingbell" "container" "apparmor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }} command: - /tmp/{{ $daemonset }}.sh volumeMounts: + - name: pod-tmp + mountPath: /tmp - name: rootfs-{{ $daemonset }} mountPath: {{ .Values.conf.chroot_mnt_path }} - name: {{ $secretName }} mountPath: /tmp/{{ $daemonset }}.sh subPath: {{ $daemonset }} readOnly: true - securityContext: - capabilities: - add: - - 'MAC_ADMIN' volumes: + - name: pod-tmp + emptyDir: {} - name: rootfs-{{ $daemonset }} hostPath: path: / diff --git a/divingbell/templates/daemonset-apt.yaml b/divingbell/templates/daemonset-apt.yaml index 8ca4b01..e230899 100644 --- a/divingbell/templates/daemonset-apt.yaml +++ b/divingbell/templates/daemonset-apt.yaml @@ -39,6 +39,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ dict "envAll" $envAll "podName" "divingbell-apt" "containerNames" (list "apt") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} hostNetwork: true hostPID: true hostIPC: true @@ -47,18 +48,21 @@ spec: image: {{ .Values.images.divingbell }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.apt | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }} +{{ dict "envAll" $envAll "application" "divingbell" "container" "apt" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }} command: - /tmp/{{ $daemonset }}.sh volumeMounts: + - name: pod-tmp + mountPath: /tmp - name: rootfs-{{ $daemonset }} mountPath: {{ .Values.conf.chroot_mnt_path }} - name: {{ $secretName }} mountPath: /tmp/{{ $daemonset }}.sh subPath: {{ $daemonset }} readOnly: true - securityContext: - privileged: true volumes: + - name: pod-tmp + emptyDir: {} - name: rootfs-{{ $daemonset }} hostPath: path: / diff --git a/divingbell/templates/daemonset-ethtool.yaml b/divingbell/templates/daemonset-ethtool.yaml index aead688..656b24d 100644 --- a/divingbell/templates/daemonset-ethtool.yaml +++ b/divingbell/templates/daemonset-ethtool.yaml @@ -39,6 +39,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ dict "envAll" $envAll "podName" "divingbell-ethtool" "containerNames" (list "ethtool") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} hostNetwork: true hostPID: true hostIPC: true @@ -47,20 +48,21 @@ spec: image: {{ .Values.images.divingbell }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.ethtool | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }} +{{ dict "envAll" $envAll "application" "divingbell" "container" "ethtool" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }} command: - /tmp/{{ $daemonset }}.sh volumeMounts: + - name: pod-tmp + mountPath: /tmp - name: rootfs-{{ $daemonset }} mountPath: {{ .Values.conf.chroot_mnt_path }} - name: {{ $secretName }} mountPath: /tmp/{{ $daemonset }}.sh subPath: {{ $daemonset }} readOnly: true - securityContext: - capabilities: - add: - - 'NET_ADMIN' volumes: + - name: pod-tmp + emptyDir: {} - name: rootfs-{{ $daemonset }} hostPath: path: / diff --git a/divingbell/templates/daemonset-exec.yaml b/divingbell/templates/daemonset-exec.yaml index ce7ee06..9d3cddb 100644 --- a/divingbell/templates/daemonset-exec.yaml +++ b/divingbell/templates/daemonset-exec.yaml @@ -39,6 +39,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ dict "envAll" $envAll "podName" "divingbell-exec" "containerNames" (list "exec") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} hostNetwork: true hostPID: true hostIPC: true @@ -47,18 +48,21 @@ spec: image: {{ .Values.images.divingbell }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.exec | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }} +{{ dict "envAll" $envAll "application" "divingbell" "container" "exec" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }} command: - /tmp/{{ $daemonset }}.sh volumeMounts: + - name: pod-tmp + mountPath: /tmp - name: rootfs-{{ $daemonset }} mountPath: {{ .Values.conf.chroot_mnt_path }} - name: {{ $secretName }} mountPath: /tmp/{{ $daemonset }}.sh subPath: {{ $daemonset }} readOnly: true - securityContext: - privileged: true volumes: + - name: pod-tmp + emptyDir: {} - name: rootfs-{{ $daemonset }} hostPath: path: / diff --git a/divingbell/templates/daemonset-limits.yaml b/divingbell/templates/daemonset-limits.yaml index fb77403..a6713d5 100644 --- a/divingbell/templates/daemonset-limits.yaml +++ b/divingbell/templates/daemonset-limits.yaml @@ -39,6 +39,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ dict "envAll" $envAll "podName" "divingbell-limits" "containerNames" (list "limits") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} hostNetwork: true hostPID: true hostIPC: true @@ -47,9 +48,12 @@ spec: image: {{ .Values.images.divingbell }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.limits | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }} +{{ dict "envAll" $envAll "application" "divingbell" "container" "limits" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }} command: - /tmp/{{ $daemonset }}.sh volumeMounts: + - name: pod-tmp + mountPath: /tmp - name: rootfs-{{ $daemonset }} mountPath: {{ .Values.conf.chroot_mnt_path }} - name: {{ $secretName }} @@ -57,6 +61,8 @@ spec: subPath: {{ $daemonset }} readOnly: true volumes: + - name: pod-tmp + emptyDir: {} - name: rootfs-{{ $daemonset }} hostPath: path: / diff --git a/divingbell/templates/daemonset-mounts.yaml b/divingbell/templates/daemonset-mounts.yaml index f6d2156..c69fe2c 100644 --- a/divingbell/templates/daemonset-mounts.yaml +++ b/divingbell/templates/daemonset-mounts.yaml @@ -39,6 +39,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ dict "envAll" $envAll "podName" "divingbell-mounts" "containerNames" (list "mounts") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} hostNetwork: true hostPID: true hostIPC: true @@ -47,9 +48,12 @@ spec: image: {{ .Values.images.divingbell }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.mounts | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }} +{{ dict "envAll" $envAll "application" "divingbell" "container" "mounts" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }} command: - /tmp/{{ $daemonset }}.sh volumeMounts: + - name: pod-tmp + mountPath: /tmp - name: rootfs-{{ $daemonset }} mountPath: {{ .Values.conf.chroot_mnt_path }} - name: {{ $secretName }} @@ -57,6 +61,8 @@ spec: subPath: {{ $daemonset }} readOnly: true volumes: + - name: pod-tmp + emptyDir: {} - name: rootfs-{{ $daemonset }} hostPath: path: / diff --git a/divingbell/templates/daemonset-perm.yaml b/divingbell/templates/daemonset-perm.yaml index b064144..aa47d71 100644 --- a/divingbell/templates/daemonset-perm.yaml +++ b/divingbell/templates/daemonset-perm.yaml @@ -39,6 +39,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ dict "envAll" $envAll "podName" "divingbell-perm" "containerNames" (list "perm") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} hostNetwork: true hostPID: true hostIPC: true @@ -47,9 +48,12 @@ spec: image: {{ .Values.images.divingbell }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.perm | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }} +{{ dict "envAll" $envAll "application" "divingbell" "container" "perm" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }} command: - /tmp/{{ $daemonset }}.sh volumeMounts: + - name: pod-tmp + mountPath: /tmp - name: rootfs-{{ $daemonset }} mountPath: {{ .Values.conf.chroot_mnt_path }} - name: {{ $secretName }} @@ -57,6 +61,8 @@ spec: subPath: {{ $daemonset }} readOnly: true volumes: + - name: pod-tmp + emptyDir: {} - name: rootfs-{{ $daemonset }} hostPath: path: / diff --git a/divingbell/templates/daemonset-sysctl.yaml b/divingbell/templates/daemonset-sysctl.yaml index 724ed88..98d0241 100644 --- a/divingbell/templates/daemonset-sysctl.yaml +++ b/divingbell/templates/daemonset-sysctl.yaml @@ -39,6 +39,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} {{ dict "envAll" $envAll "podName" "divingbell-sysctl" "containerNames" (list "sysctl") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "divingbell" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} hostNetwork: true hostPID: true hostIPC: true @@ -47,22 +48,21 @@ spec: image: {{ .Values.images.divingbell }} imagePullPolicy: {{ .Values.images.pull_policy }} {{ tuple $envAll $envAll.Values.pod.resources.sysctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 8 }} +{{ dict "envAll" $envAll "application" "divingbell" "container" "sysctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }} command: - /tmp/{{ $daemonset }}.sh volumeMounts: + - name: pod-tmp + mountPath: /tmp - name: rootfs-{{ $daemonset }} mountPath: {{ .Values.conf.chroot_mnt_path }} - name: {{ $secretName }} mountPath: /tmp/{{ $daemonset }}.sh subPath: {{ $daemonset }} readOnly: true - securityContext: - capabilities: - add: - - 'SYS_PTRACE' - - 'SYS_ADMIN' - - 'SYS_RAWIO' volumes: + - name: pod-tmp + emptyDir: {} - name: rootfs-{{ $daemonset }} hostPath: path: / diff --git a/divingbell/values.yaml b/divingbell/values.yaml index 6e510c5..d00f8bf 100644 --- a/divingbell/values.yaml +++ b/divingbell/values.yaml @@ -116,6 +116,48 @@ pod: sysctl: runtime/default divingbell-uamlite: uamlite: runtime/default + security_context: + divingbell: + pod: + runAsUser: 65534 + container: + apt: + readOnlyRootFilesystem: true + runAsUser: 0 + privileged: true + apparmor: + capabilities: + add: + - 'MAC_ADMIN' + readOnlyRootFilesystem: true + runAsUser : 0 + ethtool: + capabilities: + add: + - 'NET_ADMIN' + readOnlyRootFilesystem: true + runAsUser : 0 + exec: + readOnlyRootFilesystem: true + runAsUser: 0 + privileged: true + limits: + readOnlyRootFilesystem: true + runAsUser: 0 + mounts: + readOnlyRootFilesystem: true + runAsUser: 0 + perm: + readOnlyRootFilesystem: true + runAsUser: 0 + sysctl: + capabilities: + add: + - 'SYS_PTRACE' + - 'SYS_ADMIN' + - 'SYS_RAWIO' + readOnlyRootFilesystem: true + runAsUser: 0 lifecycle: upgrades: daemonsets: