From 208d5ede25a6f4ea6906b6d9eb281a3fc3b66b3b Mon Sep 17 00:00:00 2001
From: Niklas <nscuro@protonmail.com>
Date: Sat, 30 Mar 2024 17:54:51 +0100
Subject: [PATCH] Add restrictive `securityContext` definitions (#3)

Signed-off-by: nscuro <nscuro@protonmail.com>
---
 .../templates/api-server/statefulset.yaml       |  9 +++++++++
 .../templates/frontend/deployment.yaml          | 17 ++++++++++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/charts/dependency-track/templates/api-server/statefulset.yaml b/charts/dependency-track/templates/api-server/statefulset.yaml
index 08a7c75..0fb763f 100644
--- a/charts/dependency-track/templates/api-server/statefulset.yaml
+++ b/charts/dependency-track/templates/api-server/statefulset.yaml
@@ -27,6 +27,15 @@ spec:
       - name: {{ include "dependencytrack.apiServerName" . }}
         image: {{ include "dependencytrack.apiServerImage" . }}
         imagePullPolicy: {{ .Values.apiServer.image.pullPolicy }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          seccompProfile:
+            type: RuntimeDefault
         {{- with .Values.apiServer.command }}
         command: {{ toYaml . | nindent 8 }}
         {{- end }}
diff --git a/charts/dependency-track/templates/frontend/deployment.yaml b/charts/dependency-track/templates/frontend/deployment.yaml
index b27e376..950e70c 100644
--- a/charts/dependency-track/templates/frontend/deployment.yaml
+++ b/charts/dependency-track/templates/frontend/deployment.yaml
@@ -23,6 +23,15 @@ spec:
       - name: {{ include "dependencytrack.frontendName" . }}
         image: {{ include "dependencytrack.frontendImage" . }}
         imagePullPolicy: {{ .Values.frontend.image.pullPolicy }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          seccompProfile:
+            type: RuntimeDefault
         {{- with .Values.frontend.command }}
         command: {{ toYaml . | nindent 8 }}
         {{- end }}
@@ -45,6 +54,9 @@ spec:
         - name: web
           containerPort: 8080
           protocol: TCP
+        volumeMounts:
+        - name: tmp
+          mountPath: /tmp
         livenessProbe:
           httpGet:
             scheme: HTTP
@@ -67,4 +79,7 @@ spec:
           timeoutSeconds: {{ .Values.frontend.probes.readiness.timeoutSeconds }}
       {{- if .Values.apiServer.extraContainers }}
       {{- toYaml .Values.apiServer.extraContainers | nindent 6 }}
-      {{- end }}
\ No newline at end of file
+      {{- end }}
+      volumes:
+      - name: tmp
+        emptyDir: { }