fix securitycontext config (#148)

Signed-off-by: André Bauer <[email protected]>
kokuwaio · Mar 14, 2023 · 110bb9d · 110bb9d
1 parent 9d2a997
commit 110bb9d
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 15 deletions.
diff --git a/charts/visual-regression-tracker/Chart.yaml b/charts/visual-regression-tracker/Chart.yaml
@@ -6,13 +6,13 @@ sources:
  - https://github.com/Visual-Regression-Tracker/Visual-Regression-Tracker
  - https://github.com/kokuwaio/helm-charts/tree/main/charts/visual-regression-tracker
 type: application
-version: 1.1.1
+version: 2.0.0
 appVersion: "4.20.6"
 maintainers:
  - name: monotek
  email: [email protected]
 dependencies:
  - name: postgresql
- version: 12.1.2
+ version: 12.2.3
  repository: https://charts.bitnami.com/bitnami
  condition: vrtConfig.postgresql.enabled
diff --git a/charts/visual-regression-tracker/README.md b/charts/visual-regression-tracker/README.md
@@ -49,6 +49,13 @@ helm upgrade vrt kokuwa/visual-regression-tracker
 
 _See [`helm upgrade`](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
 
+### From 1.0.x to 2.0.0
+
+Renamed migration securityContext var from `.Values.vrtComponents.migration.initSecurityContext` to `.Values.vrtComponents.migration.securityContext`
+Fixed securityContext config for API and UI containers, where the configvalues were ignored.
+Added `seccompProfile` with default of `type: RuntimeDefault` to `podSecurityContext`.
+`readOnlyRootFilesystem` setting was removed.
+
 ### From 0.x.0 to 1.0.0
 
 Container config has been moved from `.Values.ui`, `.Values.api`, & `.Values.migration` to `.Values.vrtComponents.ui`, `.Values.vrtComponents.api`, & `.Values.vrtComponents.migration`.

diff --git a/charts/visual-regression-tracker/templates/statefulset.yaml b/charts/visual-regression-tracker/templates/statefulset.yaml
@@ -52,7 +52,7 @@ spec:
  resources:
  {{- toYaml .Values.vrtComponents.migration.resources | nindent 12 }}
  securityContext:
- {{- toYaml .Values.vrtComponents.migration.initSecurityContext | nindent 12 }}
+ {{- toYaml .Values.vrtComponents.migration.securityContext | nindent 12 }}
  containers:
  - name: {{ .Chart.Name }}-api
  env:
@@ -111,7 +111,7 @@ spec:
  resources:
  {{- toYaml .Values.vrtComponents.api.resources | nindent 12 }}
  securityContext:
- {{- toYaml .Values.securityContext | nindent 12 }}
+ {{- toYaml .Values.vrtComponents.api.securityContext | nindent 12 }}
  volumeMounts:
  - name: {{ template "visual-regression-tracker.fullname" . }}
  mountPath: /imageUploads
@@ -139,7 +139,7 @@ spec:
  resources:
  {{- toYaml .Values.vrtComponents.ui.resources | nindent 12 }}
  securityContext:
- {{- toYaml .Values.securityContext | nindent 12 }}
+ {{- toYaml .Values.vrtComponents.ui.securityContext | nindent 12 }}
  volumeMounts:
  - name: {{ template "visual-regression-tracker.fullname" . }}
  mountPath: /usr/share/nginx/html/static/imageUploads

diff --git a/charts/visual-regression-tracker/values.yaml b/charts/visual-regression-tracker/values.yaml
@@ -70,7 +70,6 @@ vrtComponents:
  drop:
  - ALL
  privileged: false
- readOnlyRootFilesystem: true
 
  service:
  type: ClusterIP
@@ -84,13 +83,6 @@ vrtComponents:
 
  imagePullSecrets: []
 
- initSecurityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
-
  resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
@@ -109,7 +101,6 @@ vrtComponents:
  drop:
  - ALL
  privileged: false
- readOnlyRootFilesystem: true
 
  ui:
  image:
@@ -151,7 +142,6 @@ vrtComponents:
  drop:
  - ALL
  privileged: false
- readOnlyRootFilesystem: true
 
  service:
  type: ClusterIP
@@ -205,6 +195,8 @@ podSecurityContext:
  runAsGroup: 1000
  runAsNonRoot: true
  runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
 
 # if used > 1 you need a ReadWriteMany storageclass
 replicaCount: 1