diff --git a/charts/dependency-track/templates/api-server/statefulset.yaml b/charts/dependency-track/templates/api-server/statefulset.yaml index 08a7c75..0fb763f 100644 --- a/charts/dependency-track/templates/api-server/statefulset.yaml +++ b/charts/dependency-track/templates/api-server/statefulset.yaml @@ -27,6 +27,15 @@ spec: - name: {{ include "dependencytrack.apiServerName" . }} image: {{ include "dependencytrack.apiServerImage" . }} imagePullPolicy: {{ .Values.apiServer.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault {{- with .Values.apiServer.command }} command: {{ toYaml . | nindent 8 }} {{- end }} diff --git a/charts/dependency-track/templates/frontend/deployment.yaml b/charts/dependency-track/templates/frontend/deployment.yaml index b27e376..950e70c 100644 --- a/charts/dependency-track/templates/frontend/deployment.yaml +++ b/charts/dependency-track/templates/frontend/deployment.yaml @@ -23,6 +23,15 @@ spec: - name: {{ include "dependencytrack.frontendName" . }} image: {{ include "dependencytrack.frontendImage" . }} imagePullPolicy: {{ .Values.frontend.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault {{- with .Values.frontend.command }} command: {{ toYaml . | nindent 8 }} {{- end }} @@ -45,6 +54,9 @@ spec: - name: web containerPort: 8080 protocol: TCP + volumeMounts: + - name: tmp + mountPath: /tmp livenessProbe: httpGet: scheme: HTTP @@ -67,4 +79,7 @@ spec: timeoutSeconds: {{ .Values.frontend.probes.readiness.timeoutSeconds }} {{- if .Values.apiServer.extraContainers }} {{- toYaml .Values.apiServer.extraContainers | nindent 6 }} - {{- end }} \ No newline at end of file + {{- end }} + volumes: + - name: tmp + emptyDir: { }