Make container securityContext configurable (#147)

Allows users to tailor the context to their organization's needs. Signed-off-by: nscuro <[email protected]>
DependencyTrack · Aug 26, 2024 · a5166b5 · a5166b5
1 parent d50dcc0
commit a5166b5
Show file tree

Hide file tree

Showing 13 changed files with 61 additions and 91 deletions.
diff --git a/charts/dependency-track/templates/api-server/deployment.yaml b/charts/dependency-track/templates/api-server/deployment.yaml
@@ -35,15 +35,7 @@ spec:
       - name: {{ include "dependencytrack.apiServerName" . }}
         image: {{ include "dependencytrack.apiServerImage" . }}
         imagePullPolicy: {{ .Values.apiServer.image.pullPolicy }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          seccompProfile:
-            type: RuntimeDefault
+        securityContext: {{ toYaml .Values.apiServer.securityContext | nindent 10 }}
         {{- with .Values.apiServer.command }}
         command: {{ toYaml . | nindent 8 }}
         {{- end }}

diff --git a/charts/dependency-track/templates/api-server/statefulset.yaml b/charts/dependency-track/templates/api-server/statefulset.yaml
@@ -36,15 +36,7 @@ spec:
       - name: {{ include "dependencytrack.apiServerName" . }}
         image: {{ include "dependencytrack.apiServerImage" . }}
         imagePullPolicy: {{ .Values.apiServer.image.pullPolicy }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          seccompProfile:
-            type: RuntimeDefault
+        securityContext: {{ toYaml .Values.apiServer.securityContext | nindent 10 }}
         {{- with .Values.apiServer.command }}
         command: {{ toYaml . | nindent 8 }}
         {{- end }}

diff --git a/charts/dependency-track/templates/frontend/deployment.yaml b/charts/dependency-track/templates/frontend/deployment.yaml
@@ -28,15 +28,7 @@ spec:
       - name: {{ include "dependencytrack.frontendName" . }}
         image: {{ include "dependencytrack.frontendImage" . }}
         imagePullPolicy: {{ .Values.frontend.image.pullPolicy }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          runAsNonRoot: true
-          readOnlyRootFilesystem: false # RO filesystems are not supported by the frontend
-          seccompProfile:
-            type: RuntimeDefault
+        securityContext: {{ toYaml .Values.frontend.securityContext | nindent 10 }}
         {{- with .Values.frontend.command }}
         command: {{ toYaml . | nindent 8 }}
         {{- end }}

diff --git a/charts/dependency-track/values.yaml b/charts/dependency-track/values.yaml
@@ -45,6 +45,16 @@ apiServer:
   # For OpenShift, explicitly set this to null.
   podSecurityContext:
     fsGroup: 1000
+  # -- Security context of the Container.
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    runAsNonRoot: true
+    readOnlyRootFilesystem: true
+    seccompProfile:
+      type: RuntimeDefault
   persistentVolume:
     enabled: false
     className: ""
@@ -134,6 +144,17 @@ frontend:
     limits:
       cpu: 500m
       memory: 128Mi
+  # -- Security context of the Container.
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    runAsNonRoot: true
+    # RO filesystems are not supported by the frontend
+    readOnlyRootFilesystem: false
+    seccompProfile:
+      type: RuntimeDefault
   extraEnv: []
   extraEnvFrom: []
   extraContainers: []

diff --git a/charts/hyades/templates/api-server/deployment.yaml b/charts/hyades/templates/api-server/deployment.yaml
@@ -33,15 +33,7 @@ spec:
       - name: {{ include "hyades.apiServerName" . }}
         image: {{ include "hyades.apiServerImage" . }}
         imagePullPolicy: {{ .Values.apiServer.image.pullPolicy }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          seccompProfile:
-            type: RuntimeDefault
+        securityContext: {{ toYaml .Values.apiServer.securityContext | nindent 10 }}
         {{- with .Values.apiServer.command }}
         command: {{ toYaml . | nindent 8 }}
         {{- end }}

diff --git a/charts/hyades/templates/frontend/deployment.yaml b/charts/hyades/templates/frontend/deployment.yaml
@@ -29,15 +29,7 @@ spec:
       - name: {{ include "hyades.frontendName" . }}
         image: {{ include "hyades.frontendImage" . }}
         imagePullPolicy: {{ .Values.frontend.image.pullPolicy }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          runAsNonRoot: true
-          readOnlyRootFilesystem: false # RO filesystems are not supported by the frontend
-          seccompProfile:
-            type: RuntimeDefault
+        securityContext: {{ toYaml .Values.frontend.securityContext | nindent 10 }}
         {{- with .Values.frontend.command }}
         command: {{ toYaml . | nindent 8 }}
         {{- end }}

diff --git a/charts/hyades/templates/mirror-service/deployment.yaml b/charts/hyades/templates/mirror-service/deployment.yaml
@@ -32,15 +32,7 @@ spec:
       - name: {{ include "hyades.mirrorServiceName" . }}
         image: {{ include "hyades.mirrorServiceImage" . }}
         imagePullPolicy: {{ .Values.mirrorService.image.pullPolicy }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          seccompProfile:
-            type: RuntimeDefault
+        securityContext: {{ toYaml .Values.mirrorService.securityContext | nindent 10 }}
         {{- with .Values.mirrorService.command }}
         command: {{ toYaml . | nindent 8 }}
         {{- end }}

diff --git a/charts/hyades/templates/notification-publisher/deployment.yaml b/charts/hyades/templates/notification-publisher/deployment.yaml
@@ -32,15 +32,7 @@ spec:
       - name: {{ include "hyades.notificationPublisherName" . }}
         image: {{ include "hyades.notificationPublisherImage" . }}
         imagePullPolicy: {{ .Values.notificationPublisher.image.pullPolicy }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          seccompProfile:
-            type: RuntimeDefault
+        securityContext: {{ toYaml .Values.notificationPublisher.securityContext | nindent 10 }}
         {{- with .Values.notificationPublisher.command }}
         command: {{ toYaml . | nindent 8 }}
         {{- end }}

diff --git a/charts/hyades/templates/repo-meta-analyzer/deployment.yaml b/charts/hyades/templates/repo-meta-analyzer/deployment.yaml
@@ -32,15 +32,7 @@ spec:
       - name: {{ include "hyades.repoMetaAnalyzerName" . }}
         image: {{ include "hyades.repoMetaAnalyzerImage" . }}
         imagePullPolicy: {{ .Values.repoMetaAnalyzer.image.pullPolicy }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          seccompProfile:
-            type: RuntimeDefault
+        securityContext: {{ toYaml .Values.repoMetaAnalyzer.securityContext | nindent 10 }}
         {{- with .Values.repoMetaAnalyzer.command }}
         command: {{ toYaml . | nindent 8 }}
         {{- end }}

diff --git a/charts/hyades/templates/vuln-analyzer/deployment.yaml b/charts/hyades/templates/vuln-analyzer/deployment.yaml
@@ -32,15 +32,7 @@ spec:
       - name: {{ include "hyades.vulnAnalyzerName" . }}
         image: {{ include "hyades.vulnAnalyzerImage" . }}
         imagePullPolicy: {{ .Values.vulnAnalyzer.image.pullPolicy }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          seccompProfile:
-            type: RuntimeDefault
+        securityContext: {{ toYaml .Values.vulnAnalyzer.securityContext | nindent 10 }}
         {{- with .Values.vulnAnalyzer.command }}
         command: {{ toYaml . | nindent 8 }}
         {{- end }}

diff --git a/charts/hyades/templates/vuln-analyzer/statefulset.yaml b/charts/hyades/templates/vuln-analyzer/statefulset.yaml
@@ -33,15 +33,7 @@ spec:
       - name: {{ include "hyades.vulnAnalyzerName" . }}
         image: {{ include "hyades.vulnAnalyzerImage" . }}
         imagePullPolicy: {{ .Values.vulnAnalyzer.image.pullPolicy }}
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          seccompProfile:
-            type: RuntimeDefault
+        securityContext: {{ toYaml .Values.vulnAnalyzer.securityContext | nindent 10 }}
         {{- with .Values.vulnAnalyzer.command }}
         command: {{ toYaml . | nindent 8 }}
         {{- end }}

diff --git a/charts/hyades/values.yaml b/charts/hyades/values.yaml
@@ -47,6 +47,16 @@ apiServer:
     limits:
       cpu: "4"
       memory: 2Gi
+  # -- Security context of the Container.
+  securityContext: &hyadesSecurityContext
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    runAsNonRoot: true
+    readOnlyRootFilesystem: true
+    seccompProfile:
+      type: RuntimeDefault
   extraEnv: []
   extraEnvFrom: []
   probes:
@@ -124,6 +134,17 @@ frontend:
     limits:
       cpu: 500m
       memory: 128Mi
+  # -- Security context of the Container.
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    runAsNonRoot: true
+    # RO filesystems are not supported by the frontend
+    readOnlyRootFilesystem: false
+    seccompProfile:
+      type: RuntimeDefault
   extraEnv: []
   extraEnvFrom: []
   probes:
@@ -174,6 +195,8 @@ mirrorService:
     limits:
       cpu: "2"
       memory: 2Gi
+  # -- Security context of the container.
+  securityContext: *hyadesSecurityContext
   extraEnv: []
   extraEnvFrom: []
   probes:
@@ -218,6 +241,8 @@ notificationPublisher:
     limits:
       cpu: "2"
       memory: 2Gi
+  # -- Security context of the container.
+  securityContext: *hyadesSecurityContext
   extraEnv: []
   extraEnvFrom: []
   probes:
@@ -262,6 +287,8 @@ repoMetaAnalyzer:
     limits:
       cpu: "2"
       memory: 2Gi
+  # -- Security context of the container.
+  securityContext: *hyadesSecurityContext
   extraEnv: []
   extraEnvFrom: []
   probes:
@@ -311,6 +338,8 @@ vulnAnalyzer:
     limits:
       cpu: "2"
       memory: 2Gi
+  # -- Security context of the container.
+  securityContext: *hyadesSecurityContext
   persistentVolume:
     # -- Whether to use a persistent volume to store application state.
     # Has no effect unless useStatefulSet is true. Is pointless unless

diff --git a/ct.yaml b/ct.yaml
@@ -1,3 +1,3 @@
 target-branch: main
-helm-extra-args: --timeout 180s
+helm-extra-args: --timeout 240s
 check-version-increment: false