security(Apps): Improve Snyk hardening advisory (#1208)

* Harden postgresql by removing the migration initcontainer

* Harden initcontainers

* Harden serviceaccounts and RBAC

* hmm

* fix

charts/library/common-test/Chart.yaml

@@ -22,4 +22,4 @@ name: common-test
 sources:
 - https://github.com/truecharts/apps/tree/master/charts/library/common-test
 type: application
-version: 3.2.0
+version: 3.3.0

charts/library/common-test/ci/rbac-values.yaml

@@ -0,0 +1,64 @@
+image:
+  repository: traefik/whoami
+  pullPolicy: IfNotPresent
+  tag: v1.6.1@sha256:2c52bb2c848038a33e40415c300b655d7976bafaf033ecf4a6679cb9e1715917
+
+service:
+  main:
+    ports:
+      main:
+        port: 8080
+
+args:
+  - --port
+  - '8080'
+
+rbac:
+  enabled: true
+  rules:
+    - apiGroups:
+        - ""
+      resources:
+        - services
+        - endpoints
+        - secrets
+      verbs:
+        - get
+        - list
+        - watch
+    - apiGroups:
+        - extensions
+        - networking.k8s.io
+      resources:
+        - ingresses
+        - ingressclasses
+      verbs:
+        - get
+        - list
+        - watch
+    - apiGroups:
+        - extensions
+        - networking.k8s.io
+      resources:
+        - ingresses/status
+      verbs:
+        - update
+    - apiGroups:
+        - traefik.containo.us
+      resources:
+        - ingressroutes
+        - ingressroutetcps
+        - ingressrouteudps
+        - middlewares
+        - middlewaretcps
+        - tlsoptions
+        - tlsstores
+        - traefikservices
+        - serverstransports
+      verbs:
+        - get
+        - list
+        - watch
+
+serviceAccount:
+  create: true

charts/library/common/templates/_postSetup.tpl

@@ -25,9 +25,7 @@ Secondary entrypoint and primary loader for the common chart
   {{- /* Build the templates */ -}}
   {{- include "common.pvc" . }}
 
-  {{- if .Values.serviceAccount.create -}}
-    {{- include "common.serviceAccount" . }}
-  {{- end -}}
+  {{- include "common.serviceAccount" . }}
 
   {{- if .Values.controller.enabled }}
     {{- if eq .Values.controller.type "deployment" }}

charts/library/common/templates/_rbac.tpl

@@ -42,7 +42,6 @@ roleRef:
   kind: ClusterRole
   name: {{ include "common.names.fullname" . }}
 subjects:
-  {{- if .Values.serviceAccount }}
   - kind: ServiceAccount
     name: {{ include "common.names.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
@@ -50,5 +49,4 @@ subjects:
   {{- with .Values.rbac.subjects }}
   {{- toYaml . | nindent 2 }}
   {{- end }}
-{{- end }}
 {{- end -}}

charts/library/common/templates/_serviceaccount.tpl

@@ -2,11 +2,12 @@
 The ServiceAccount object to be created.
 */}}
 {{- define "common.serviceAccount" }}
+{{- if .Values.serviceAccount.create }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "common.names.serviceAccountName" . }}
+  name: {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
   labels:
     {{- include "common.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}
@@ -14,3 +15,4 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 {{- end }}
+{{- end }}

charts/library/common/templates/lib/controller/_autopermissions.yaml

@@ -15,10 +15,15 @@ before chart installation.
   image: {{ .Values.alpineImage.repository }}:{{ .Values.alpineImage.tag }}
   securityContext:
     runAsUser: 0
-    runAsGroup: 0
-    privileged: true
-    allowPrivilegeEscalation: true
-    runAsNonRoot: false
+    privileged: false
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+  resources:
+  {{- with .Values.resources }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   command:
     - "/bin/sh"
     - "-c"

charts/library/common/templates/lib/dependencies/_postgresInit.tpl

@@ -6,6 +6,14 @@ This template ensures pods with postgresql dependency have a delayed start
 {{- if .Values.postgresql.enabled }}
 - name: postgresql-init
   image: "{{ .Values.postgresqlImage.repository}}:{{ .Values.postgresqlImage.tag }}"
+  securityContext:
+    capabilities:
+      drop:
+        - ALL
+  resources:
+  {{- with .Values.resources }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   command:
     - "sh"
     - "-c"

charts/stable/postgresql/Chart.yaml

@@ -25,7 +25,7 @@ name: postgresql
 sources:
 - https://www.postgresql.org/
 type: application
-version: 3.0.22
+version: 4.0.0
 annotations:
   truecharts.org/catagories: |
     - database

charts/stable/postgresql/values.yaml

@@ -16,30 +16,6 @@ service:
 ## TODO: Fix the backup-on-upgrade system
 enableUpgradeBackup: false
 
-initContainers:
-  migrate-db:
-    image: "{{ .Values.alpineImage.repository}}:{{ .Values.alpineImage.tag }}"
-    securityContext:
-      runAsUser: 0
-      privileged: true
-
-      runAsNonRoot: false
-    command:
-      - /bin/sh
-      - -cx
-      - |
-        echo 'trying to migrate old db to new location...'
-        mkdir -p /bitnami/postgresql/data
-        mv -f /bitnami/postgresql/old/* /bitnami/postgresql/data/ || true
-        chown -R {{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} /bitnami/postgresql/data
-        chmod 775 /bitnami/postgresql/data
-    imagePullPolicy: IfNotPresent
-    volumeMounts:
-      - name: db
-        mountPath: /bitnami/postgresql/old
-      - name: data
-        mountPath: /bitnami/postgresql
-
 podSecurityContext:
   runAsGroup: 0
 

charts/stable/traefik/values.yaml

@@ -262,10 +262,7 @@ rbac:
 
 # -- The service account the pods will use to interact with the Kubernetes API
 serviceAccount:
-  enabled: true
-  # If set, an existing service account is used
-  # If not set, a service account is created automatically using the fullname template
-  name: ""
+  create: true
 
 # -- SCALE Middleware Handlers
 middlewares: