diff --git a/.gitignore b/.gitignore index 212119c..679ef7b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,4 @@ -*-local.yaml \ No newline at end of file +*-local.yaml +*-locale.yml +*-locale.yaml +*-local.yml \ No newline at end of file diff --git a/charts/gdscan/Chart.yaml b/charts/gdscan/Chart.yaml index 2842130..c2f22ff 100644 --- a/charts/gdscan/Chart.yaml +++ b/charts/gdscan/Chart.yaml @@ -5,4 +5,4 @@ maintainers: - name: G DATA CyberDefense AG email: oem@gdata.de type: application -version: 1.5.1 +version: 1.6.0 diff --git a/charts/gdscan/templates/deployment.yaml b/charts/gdscan/templates/deployment.yaml index 23afd33..3b3ecd0 100644 --- a/charts/gdscan/templates/deployment.yaml +++ b/charts/gdscan/templates/deployment.yaml @@ -39,10 +39,8 @@ spec: emptyDir: {} - name: scan-socket emptyDir: {} - {{- if .Values.client.containerSecurityContext.enabled }} - name: client-tmp emptyDir: {} - {{- end }} - name: server-var-log emptyDir: {} {{- include "gdscan.imagePullSecrets" . | nindent 6 }} @@ -53,6 +51,9 @@ spec: value: "{{ now | unixEpoch }}" image: '{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }}' imagePullPolicy: {{ .Values.server.image.pullPolicy }} + {{- if .Values.server.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.server.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} volumeMounts: - name: server-tmp mountPath: /tmp @@ -75,10 +76,8 @@ spec: mountPath: /tmp/scan - name: scan-socket mountPath: /var/share/run - {{- if .Values.client.containerSecurityContext.enabled }} - name: client-tmp mountPath: /tmp - {{- end }} resources: {{- toYaml .Values.resources.client | nindent 12 }} ports: @@ -96,8 +95,8 @@ spec: path: /health port: api initialDelaySeconds: 15 - periodSeconds: 5 - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + periodSeconds: 5 + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -110,4 +109,6 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} \ No newline at end of file + securityContext: + fsGroup: 1654 +{{- end }} diff --git a/charts/gdscan/templates/stateful-set.yaml b/charts/gdscan/templates/stateful-set.yaml index d9c68bc..acbbc04 100644 --- a/charts/gdscan/templates/stateful-set.yaml +++ b/charts/gdscan/templates/stateful-set.yaml @@ -37,14 +37,10 @@ spec: emptyDir: {} - name: scan-socket emptyDir: {} - {{- if .Values.client.containerSecurityContext.enabled }} - name: client-tmp emptyDir: {} - {{- end }} - {{- if .Values.server.containerSecurityContext.enabled }} - name: server-var-log emptyDir: {} - {{- end }} containers: - name: {{ .Values.server.name }} env: @@ -62,10 +58,8 @@ spec: mountPath: /tmp/scan - name: scan-socket mountPath: /var/share/run - {{- if .Values.server.containerSecurityContext.enabled }} - name: server-var-log mountPath: /var/log - {{- end }} resources: {{- toYaml .Values.resources.server | nindent 12 }} - name: {{ .Values.client.name }} @@ -79,10 +73,8 @@ spec: mountPath: /tmp/scan - name: scan-socket mountPath: /var/share/run - {{- if .Values.client.containerSecurityContext.enabled }} - name: client-tmp mountPath: /tmp - {{- end }} resources: {{- toYaml .Values.resources.client | nindent 12 }} ports: @@ -101,7 +93,7 @@ spec: port: api initialDelaySeconds: 15 periodSeconds: 5 - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -114,4 +106,6 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + securityContext: + fsGroup: 1654 {{- end }} \ No newline at end of file diff --git a/charts/gdscan/values.yaml b/charts/gdscan/values.yaml index 3951bcb..9e9d35d 100644 --- a/charts/gdscan/values.yaml +++ b/charts/gdscan/values.yaml @@ -7,7 +7,16 @@ server: pullPolicy: Always tag: 1 containerSecurityContext: - enabled: false + enabled: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault + runAsGroup: 1001 + runAsUser: 1001 client: name: client image: @@ -15,7 +24,14 @@ client: pullPolicy: Always tag: 1 containerSecurityContext: - enabled: false + enabled: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault terminationGracePeriodSeconds: 30 imagePullSecrets: @@ -88,9 +104,16 @@ autoUpdate: image: registry: docker.io repository: bitnami/kubectl - tag: latest + tag: 1.29 containerSecurityContext: - enabled: false + enabled: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault enabled: true # every hour schedule: "0 * * * *"