From fa110bf9caad8e0afb1be794db632282cf77b0e8 Mon Sep 17 00:00:00 2001 From: TrueCharts-Bot Date: Mon, 4 Apr 2022 20:18:38 +0000 Subject: [PATCH] Commit new App releases for TrueCharts Signed-off-by: TrueCharts-Bot --- .../{3.0.11 => 3.0.12}/CHANGELOG.md | 18 +++++++++--------- .../code-server/{3.0.11 => 3.0.12}/CONFIG.md | 0 .../code-server/{3.0.11 => 3.0.12}/Chart.lock | 2 +- .../code-server/{3.0.11 => 3.0.12}/Chart.yaml | 2 +- .../code-server/{3.0.11 => 3.0.12}/README.md | 0 .../{3.0.11 => 3.0.12}/app-readme.md | 0 .../charts/common-9.2.7.tgz | Bin .../{3.0.11 => 3.0.12}/helm-values.md | 3 +++ .../{3.0.11 => 3.0.12}/ix_values.yaml | 5 +++++ .../{3.0.11 => 3.0.12}/questions.yaml | 4 ++-- .../{3.0.11 => 3.0.12}/security.md | 5 +++++ .../{3.0.11 => 3.0.12}/templates/common.yaml | 0 .../{3.0.11 => 3.0.12}/values.yaml | 0 13 files changed, 26 insertions(+), 13 deletions(-) rename stable/code-server/{3.0.11 => 3.0.12}/CHANGELOG.md (88%) rename stable/code-server/{3.0.11 => 3.0.12}/CONFIG.md (100%) rename stable/code-server/{3.0.11 => 3.0.12}/Chart.lock (80%) rename stable/code-server/{3.0.11 => 3.0.12}/Chart.yaml (97%) rename stable/code-server/{3.0.11 => 3.0.12}/README.md (100%) rename stable/code-server/{3.0.11 => 3.0.12}/app-readme.md (100%) rename stable/code-server/{3.0.11 => 3.0.12}/charts/common-9.2.7.tgz (100%) rename stable/code-server/{3.0.11 => 3.0.12}/helm-values.md (90%) rename stable/code-server/{3.0.11 => 3.0.12}/ix_values.yaml (87%) rename stable/code-server/{3.0.11 => 3.0.12}/questions.yaml (99%) rename stable/code-server/{3.0.11 => 3.0.12}/security.md (99%) rename stable/code-server/{3.0.11 => 3.0.12}/templates/common.yaml (100%) rename stable/code-server/{3.0.11 => 3.0.12}/values.yaml (100%) diff --git a/stable/code-server/3.0.11/CHANGELOG.md b/stable/code-server/3.0.12/CHANGELOG.md similarity index 88% rename from stable/code-server/3.0.11/CHANGELOG.md rename to stable/code-server/3.0.12/CHANGELOG.md index 3d97c9cf493..7e34292a6ef 100644 --- a/stable/code-server/3.0.11/CHANGELOG.md +++ b/stable/code-server/3.0.12/CHANGELOG.md @@ -1,6 +1,15 @@ # Changelog
+ +### [code-server-3.0.12](https://github.com/truecharts/apps/compare/code-server-3.0.11...code-server-3.0.12) (2022-04-04) + +#### Fix + +* correctly set the run-as-root things ([#2425](https://github.com/truecharts/apps/issues/2425)) + + + ### [code-server-3.0.11](https://github.com/truecharts/apps/compare/openvscode-server-1.0.10...code-server-3.0.11) (2022-04-03) @@ -88,12 +97,3 @@ * update helm general non-major helm releases ([#1999](https://github.com/truecharts/apps/issues/1999)) - - -### [code-server-2.1.28](https://github.com/truecharts/apps/compare/openvscode-server-0.0.27...code-server-2.1.28) (2022-02-28) - -#### Chore - -* rename `web_portal` to `open` ([#1957](https://github.com/truecharts/apps/issues/1957)) -* update docker general non-major ([#1980](https://github.com/truecharts/apps/issues/1980)) - diff --git a/stable/code-server/3.0.11/CONFIG.md b/stable/code-server/3.0.12/CONFIG.md similarity index 100% rename from stable/code-server/3.0.11/CONFIG.md rename to stable/code-server/3.0.12/CONFIG.md diff --git a/stable/code-server/3.0.11/Chart.lock b/stable/code-server/3.0.12/Chart.lock similarity index 80% rename from stable/code-server/3.0.11/Chart.lock rename to stable/code-server/3.0.12/Chart.lock index 1f2f2793d38..b7ddcd97a1d 100644 --- a/stable/code-server/3.0.11/Chart.lock +++ b/stable/code-server/3.0.12/Chart.lock @@ -3,4 +3,4 @@ dependencies: repository: https://library-charts.truecharts.org version: 9.2.7 digest: sha256:927fec2499d55b3de8a7522d936aaf4f21f668370deb33239fb06f12051ff5b1 -generated: "2022-04-03T15:54:16.360335891Z" +generated: "2022-04-04T20:13:12.318829193Z" diff --git a/stable/code-server/3.0.11/Chart.yaml b/stable/code-server/3.0.12/Chart.yaml similarity index 97% rename from stable/code-server/3.0.11/Chart.yaml rename to stable/code-server/3.0.12/Chart.yaml index 70b7fb66efc..fb292412315 100644 --- a/stable/code-server/3.0.11/Chart.yaml +++ b/stable/code-server/3.0.12/Chart.yaml @@ -21,7 +21,7 @@ name: code-server sources: - https://github.com/cdr/code-server type: application -version: 3.0.11 +version: 3.0.12 annotations: truecharts.org/catagories: | - media diff --git a/stable/code-server/3.0.11/README.md b/stable/code-server/3.0.12/README.md similarity index 100% rename from stable/code-server/3.0.11/README.md rename to stable/code-server/3.0.12/README.md diff --git a/stable/code-server/3.0.11/app-readme.md b/stable/code-server/3.0.12/app-readme.md similarity index 100% rename from stable/code-server/3.0.11/app-readme.md rename to stable/code-server/3.0.12/app-readme.md diff --git a/stable/code-server/3.0.11/charts/common-9.2.7.tgz b/stable/code-server/3.0.12/charts/common-9.2.7.tgz similarity index 100% rename from stable/code-server/3.0.11/charts/common-9.2.7.tgz rename to stable/code-server/3.0.12/charts/common-9.2.7.tgz diff --git a/stable/code-server/3.0.11/helm-values.md b/stable/code-server/3.0.12/helm-values.md similarity index 90% rename from stable/code-server/3.0.11/helm-values.md rename to stable/code-server/3.0.12/helm-values.md index af5ae436f17..1b4e3e5d1e5 100644 --- a/stable/code-server/3.0.11/helm-values.md +++ b/stable/code-server/3.0.12/helm-values.md @@ -21,8 +21,11 @@ You will, however, be able to use all values referenced in the common chart here | image.tag | string | `"v4.2.0@sha256:82e2d802e59b26954096529aa08e83bebd2004da664fee9ab6c911e4f5ab6c48"` | | | persistence.config.enabled | bool | `true` | | | persistence.config.mountPath | string | `"/config"` | | +| podSecurityContext.runAsGroup | int | `0` | | +| podSecurityContext.runAsUser | int | `0` | | | securityContext.allowPrivilegeEscalation | bool | `true` | | | securityContext.readOnlyRootFilesystem | bool | `false` | | +| securityContext.runAsNonRoot | bool | `false` | | | service.main.ports.main.port | int | `10063` | | | service.main.ports.main.targetPort | int | `8080` | | diff --git a/stable/code-server/3.0.11/ix_values.yaml b/stable/code-server/3.0.12/ix_values.yaml similarity index 87% rename from stable/code-server/3.0.11/ix_values.yaml rename to stable/code-server/3.0.12/ix_values.yaml index a61846e1274..4b73bc242d8 100644 --- a/stable/code-server/3.0.11/ix_values.yaml +++ b/stable/code-server/3.0.12/ix_values.yaml @@ -15,6 +15,11 @@ env: {} securityContext: readOnlyRootFilesystem: false allowPrivilegeEscalation: true + runAsNonRoot: false + +podSecurityContext: + runAsUser: 0 + runAsGroup: 0 service: main: diff --git a/stable/code-server/3.0.11/questions.yaml b/stable/code-server/3.0.12/questions.yaml similarity index 99% rename from stable/code-server/3.0.11/questions.yaml rename to stable/code-server/3.0.12/questions.yaml index f1976c62704..b7167a62bc8 100644 --- a/stable/code-server/3.0.11/questions.yaml +++ b/stable/code-server/3.0.12/questions.yaml @@ -1464,12 +1464,12 @@ questions: label: "Allow Privilege Escalation" schema: type: boolean - default: false + default: true - variable: runAsNonRoot label: "runAsNonRoot" schema: type: boolean - default: false + default: true - variable: capabilities label: "Capabilities" schema: diff --git a/stable/code-server/3.0.11/security.md b/stable/code-server/3.0.12/security.md similarity index 99% rename from stable/code-server/3.0.11/security.md rename to stable/code-server/3.0.12/security.md index 29279b570cf..785283b42f7 100644 --- a/stable/code-server/3.0.11/security.md +++ b/stable/code-server/3.0.12/security.md @@ -22,6 +22,7 @@ hide: | Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW |
Expand... The container should drop all default capabilities and add only those that are needed for its execution.


Container 'RELEASE-NAME-code-server' of Deployment 'RELEASE-NAME-code-server' should add 'ALL' to 'securityContext.capabilities.drop'
|
Expand...https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
| | Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW |
Expand... The container should drop all default capabilities and add only those that are needed for its execution.


Container 'hostpatch' of Deployment 'RELEASE-NAME-code-server' should add 'ALL' to 'securityContext.capabilities.drop'
|
Expand...https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
| | Kubernetes Security Check | KSV011 | CPU not limited | LOW |
Expand... Enforcing CPU limits prevents DoS via resource exhaustion.


Container 'hostpatch' of Deployment 'RELEASE-NAME-code-server' should set 'resources.limits.cpu'
|
Expand...https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits
https://avd.aquasec.com/appshield/ksv011
| +| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM |
Expand... 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.


Container 'RELEASE-NAME-code-server' of Deployment 'RELEASE-NAME-code-server' should set 'securityContext.runAsNonRoot' to true
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
| | Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM |
Expand... 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.


Container 'autopermissions' of Deployment 'RELEASE-NAME-code-server' should set 'securityContext.runAsNonRoot' to true
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
| | Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM |
Expand... 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.


Container 'hostpatch' of Deployment 'RELEASE-NAME-code-server' should set 'securityContext.runAsNonRoot' to true
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
| | Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW |
Expand... An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.


Container 'RELEASE-NAME-code-server' of Deployment 'RELEASE-NAME-code-server' should set 'securityContext.readOnlyRootFilesystem' to true
|
Expand...https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
| @@ -59,6 +60,8 @@ hide: | Package | Vulnerability | Severity | Installed Version | Fixed Version | Links | |:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------| +| busybox | CVE-2022-28391 | UNKNOWN | 1.34.1-r4 | 1.34.1-r5 |
Expand...https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
| +| ssl_client | CVE-2022-28391 | UNKNOWN | 1.34.1-r4 | 1.34.1-r5 |
Expand...https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
| | zlib | CVE-2018-25032 | HIGH | 1.2.11-r3 | 1.2.12-r0 |
Expand...http://www.openwall.com/lists/oss-security/2022/03/25/2
http://www.openwall.com/lists/oss-security/2022/03/26/1
https://access.redhat.com/security/cve/CVE-2018-25032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
https://github.com/madler/zlib/issues/605
https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
https://ubuntu.com/security/notices/USN-5355-1
https://ubuntu.com/security/notices/USN-5355-2
https://ubuntu.com/security/notices/USN-5359-1
https://www.debian.org/security/2022/dsa-5111
https://www.openwall.com/lists/oss-security/2022/03/24/1
https://www.openwall.com/lists/oss-security/2022/03/28/1
https://www.openwall.com/lists/oss-security/2022/03/28/3
| @@ -70,6 +73,8 @@ hide: | Package | Vulnerability | Severity | Installed Version | Fixed Version | Links | |:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------| +| busybox | CVE-2022-28391 | UNKNOWN | 1.34.1-r4 | 1.34.1-r5 |
Expand...https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
| +| ssl_client | CVE-2022-28391 | UNKNOWN | 1.34.1-r4 | 1.34.1-r5 |
Expand...https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
| | zlib | CVE-2018-25032 | HIGH | 1.2.11-r3 | 1.2.12-r0 |
Expand...http://www.openwall.com/lists/oss-security/2022/03/25/2
http://www.openwall.com/lists/oss-security/2022/03/26/1
https://access.redhat.com/security/cve/CVE-2018-25032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
https://github.com/madler/zlib/issues/605
https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
https://ubuntu.com/security/notices/USN-5355-1
https://ubuntu.com/security/notices/USN-5355-2
https://ubuntu.com/security/notices/USN-5359-1
https://www.debian.org/security/2022/dsa-5111
https://www.openwall.com/lists/oss-security/2022/03/24/1
https://www.openwall.com/lists/oss-security/2022/03/28/1
https://www.openwall.com/lists/oss-security/2022/03/28/3
| diff --git a/stable/code-server/3.0.11/templates/common.yaml b/stable/code-server/3.0.12/templates/common.yaml similarity index 100% rename from stable/code-server/3.0.11/templates/common.yaml rename to stable/code-server/3.0.12/templates/common.yaml diff --git a/stable/code-server/3.0.11/values.yaml b/stable/code-server/3.0.12/values.yaml similarity index 100% rename from stable/code-server/3.0.11/values.yaml rename to stable/code-server/3.0.12/values.yaml