Skip to content

Commit

Permalink
allow pod security admission restricted by default (#7)
Browse files Browse the repository at this point in the history
* run vaas as restricted

* add default host to env

* increase version

---------

Co-authored-by: PT-ATA No One <[email protected]>
  • Loading branch information
doxthree and ata-no-one authored Feb 15, 2024
1 parent d2705e9 commit 5c8e769
Show file tree
Hide file tree
Showing 6 changed files with 31 additions and 19 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ jobs:
with:
name: vaas
repository: gdatasoftwareag/charts
tag: 1.0.2
tag: 1.0.3
path: charts/vaas
registry: ghcr.io
registry_username: ${{ secrets.REGISTRY_USERNAME }}
Expand Down
8 changes: 4 additions & 4 deletions charts/vaas/Chart.lock
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
dependencies:
- name: redis
repository: https://charts.bitnami.com/bitnami
version: 18.1.5
version: 18.12.1
- name: gdscan
repository: https://gdatasoftwareag.github.io/gdscan/
version: 1.4.5
version: 1.6.0
- name: mini-identity-provider
repository: oci://ghcr.io/gdatasoftwareag
version: 0.1.17
digest: sha256:e4f283b831d4726932df1ba32ed10a746faa7aa89fd7345c3f952b7563e856bd
generated: "2024-02-12T09:11:31.341370564+01:00"
digest: sha256:58cd2dbd7a6d6d3749dd68c3ae1c0e75237a368ebf01cafa36ca7794a8982118
generated: "2024-02-13T08:40:59.295006648+01:00"
6 changes: 3 additions & 3 deletions charts/vaas/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
apiVersion: v2
name: vaas
version: 1.0.2
version: 1.0.3
description: Deployment of a Verdict-as-a-Service on-premise instance
maintainers:
- name: G DATA CyberDefense AG
email: [email protected]
type: application
dependencies:
- name: redis
version: 18.1.5
version: 18.12.1
condition: redis.enabled
repository: https://charts.bitnami.com/bitnami
- name: gdscan
version: 1.4.5
version: 1.6.0
condition: gdscan.enabled
repository: https://gdatasoftwareag.github.io/gdscan/
- name: mini-identity-provider
Expand Down
4 changes: 4 additions & 0 deletions charts/vaas/templates/gateway/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,10 @@ Create environment variables to configure gateway container.
value: {{.Values.gateway.uploadUrl}}
- name: JwtSettings__Secret
value: {{ randAlphaNum 64 }}
- name: GDScanConfiguration__Url
value: "http://gdscan:8080/scan/body"
- name: RedisConfiguration__Configuration
value: "redis-master"
{{- if .Values.gateway.cloudhashlookup.enabled }}
- name: VerdictAsAService__Url
value: {{ .Values.gateway.options.url | quote }}
Expand Down
5 changes: 3 additions & 2 deletions charts/vaas/templates/gateway/statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,9 @@ spec:
emptyDir: {}
containers:
- name: {{ include "gateway.name" . }}
securityContext:
readOnlyRootFilesystem: true
{{- if .Values.gateway.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.gateway.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
image: '{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag | default "latest" }}'
imagePullPolicy: {{ .Values.gateway.image.pullPolicy }}
volumeMounts:
Expand Down
25 changes: 16 additions & 9 deletions charts/vaas/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -102,8 +102,14 @@ gateway:
memory: 256Mi

containerSecurityContext:
enabled: false

enabled: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop: ["ALL"]
seccompProfile:
type: RuntimeDefault
image:
repository: ghcr.io/gdatasoftwareag/vaas/gateway
pullPolicy: Always
Expand Down Expand Up @@ -147,8 +153,6 @@ gdscan:
repository: ghcr.io/gdatasoftwareag/vaas/scanserver
pullPolicy: Always
tag: 1.9.8
containerSecurityContext:
enabled: false
resources:
limits:
memory: 2.5Gi
Expand All @@ -160,8 +164,6 @@ gdscan:
repository: ghcr.io/gdatasoftwareag/vaas/scanner
pullPolicy: Always
tag: 1.9.8
containerSecurityContext:
enabled: false
resources:
limits:
memory: 4Gi
Expand Down Expand Up @@ -222,8 +224,6 @@ gdscan:
registry: docker.io
repository: bitnami/kubectl
tag: latest
containerSecurityContext:
enabled: false
enabled: true
schedule: "0 * * * *"
networkPolicy:
Expand All @@ -247,6 +247,13 @@ redis:
persistence:
enabled: false
containerSecurityContext:
enabled: false
enabled: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop: ["ALL"]
seccompProfile:
type: RuntimeDefault
networkPolicy:
enabled: true

0 comments on commit 5c8e769

Please sign in to comment.