security(Apps): Improve Snyk hardening advisory (#1208)
* Harden postgresql by removing the migration initcontainer * Harden initcontainers * Harden serviceaccounts and RBAC * hmm * fix
This commit is contained in:
parent
83bc75ccf6
commit
834479f0db
|
@ -22,4 +22,4 @@ name: common-test
|
|||
sources:
|
||||
- https://github.com/truecharts/apps/tree/master/charts/library/common-test
|
||||
type: application
|
||||
version: 3.2.0
|
||||
version: 3.3.0
|
||||
|
|
|
@ -0,0 +1,64 @@
|
|||
image:
|
||||
repository: traefik/whoami
|
||||
pullPolicy: IfNotPresent
|
||||
tag: v1.6.1@sha256:2c52bb2c848038a33e40415c300b655d7976bafaf033ecf4a6679cb9e1715917
|
||||
|
||||
service:
|
||||
main:
|
||||
ports:
|
||||
main:
|
||||
port: 8080
|
||||
|
||||
args:
|
||||
- --port
|
||||
- '8080'
|
||||
|
||||
rbac:
|
||||
enabled: true
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- services
|
||||
- endpoints
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- extensions
|
||||
- networking.k8s.io
|
||||
resources:
|
||||
- ingresses
|
||||
- ingressclasses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- extensions
|
||||
- networking.k8s.io
|
||||
resources:
|
||||
- ingresses/status
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- traefik.containo.us
|
||||
resources:
|
||||
- ingressroutes
|
||||
- ingressroutetcps
|
||||
- ingressrouteudps
|
||||
- middlewares
|
||||
- middlewaretcps
|
||||
- tlsoptions
|
||||
- tlsstores
|
||||
- traefikservices
|
||||
- serverstransports
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
|
||||
serviceAccount:
|
||||
create: true
|
|
@ -25,9 +25,7 @@ Secondary entrypoint and primary loader for the common chart
|
|||
{{- /* Build the templates */ -}}
|
||||
{{- include "common.pvc" . }}
|
||||
|
||||
{{- if .Values.serviceAccount.create -}}
|
||||
{{- include "common.serviceAccount" . }}
|
||||
{{- end -}}
|
||||
{{- include "common.serviceAccount" . }}
|
||||
|
||||
{{- if .Values.controller.enabled }}
|
||||
{{- if eq .Values.controller.type "deployment" }}
|
||||
|
|
|
@ -42,7 +42,6 @@ roleRef:
|
|||
kind: ClusterRole
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
subjects:
|
||||
{{- if .Values.serviceAccount }}
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "common.names.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
|
@ -50,5 +49,4 @@ subjects:
|
|||
{{- with .Values.rbac.subjects }}
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
|
@ -2,11 +2,12 @@
|
|||
The ServiceAccount object to be created.
|
||||
*/}}
|
||||
{{- define "common.serviceAccount" }}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "common.names.serviceAccountName" . }}
|
||||
name: {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
|
||||
labels:
|
||||
{{- include "common.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
|
@ -14,3 +15,4 @@ metadata:
|
|||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -15,10 +15,15 @@ before chart installation.
|
|||
image: {{ .Values.alpineImage.repository }}:{{ .Values.alpineImage.tag }}
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
privileged: true
|
||||
allowPrivilegeEscalation: true
|
||||
runAsNonRoot: false
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
resources:
|
||||
{{- with .Values.resources }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- "/bin/sh"
|
||||
- "-c"
|
||||
|
|
|
@ -6,6 +6,14 @@ This template ensures pods with postgresql dependency have a delayed start
|
|||
{{- if .Values.postgresql.enabled }}
|
||||
- name: postgresql-init
|
||||
image: "{{ .Values.postgresqlImage.repository}}:{{ .Values.postgresqlImage.tag }}"
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
resources:
|
||||
{{- with .Values.resources }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- "sh"
|
||||
- "-c"
|
||||
|
|
|
@ -25,7 +25,7 @@ name: postgresql
|
|||
sources:
|
||||
- https://www.postgresql.org/
|
||||
type: application
|
||||
version: 3.0.22
|
||||
version: 4.0.0
|
||||
annotations:
|
||||
truecharts.org/catagories: |
|
||||
- database
|
||||
|
|
|
@ -16,30 +16,6 @@ service:
|
|||
## TODO: Fix the backup-on-upgrade system
|
||||
enableUpgradeBackup: false
|
||||
|
||||
initContainers:
|
||||
migrate-db:
|
||||
image: "{{ .Values.alpineImage.repository}}:{{ .Values.alpineImage.tag }}"
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
privileged: true
|
||||
|
||||
runAsNonRoot: false
|
||||
command:
|
||||
- /bin/sh
|
||||
- -cx
|
||||
- |
|
||||
echo 'trying to migrate old db to new location...'
|
||||
mkdir -p /bitnami/postgresql/data
|
||||
mv -f /bitnami/postgresql/old/* /bitnami/postgresql/data/ || true
|
||||
chown -R {{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} /bitnami/postgresql/data
|
||||
chmod 775 /bitnami/postgresql/data
|
||||
imagePullPolicy: IfNotPresent
|
||||
volumeMounts:
|
||||
- name: db
|
||||
mountPath: /bitnami/postgresql/old
|
||||
- name: data
|
||||
mountPath: /bitnami/postgresql
|
||||
|
||||
podSecurityContext:
|
||||
runAsGroup: 0
|
||||
|
||||
|
|
|
@ -262,10 +262,7 @@ rbac:
|
|||
|
||||
# -- The service account the pods will use to interact with the Kubernetes API
|
||||
serviceAccount:
|
||||
enabled: true
|
||||
# If set, an existing service account is used
|
||||
# If not set, a service account is created automatically using the fullname template
|
||||
name: ""
|
||||
create: true
|
||||
|
||||
# -- SCALE Middleware Handlers
|
||||
middlewares:
|
||||
|
|
Loading…
Reference in New Issue