Security improvements

a04b05be · Martin Weise · c724d5ca · a04b05be · a04b05be · a04b05be
Verified Commit a04b05be authored Apr 9, 2024 by Martin Weise
--- a/helm-charts/dbrepo/.helmignore
+++ b/helm-charts/dbrepo/.helmignore
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
 # Dev
 values.dev.yaml
+Chart.tpl.yaml
+hack/
+# MacOS
 .DS_Store
 # Common VCS dirs
 .git/

--- a/helm-charts/dbrepo/templates/analyse-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/analyse-service/deployment.yaml
@@ -33,6 +33,8 @@ spec:
          imagePullPolicy: {{ .Values.analyseService.image.pullPolicy | default "IfNotPresent" }}
          securityContext:
            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: {{ .Values.analyseService.profileType | default "RuntimeDefault" }}
            capabilities:
              drop:
                - ALL

--- a/helm-charts/dbrepo/templates/data-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/data-service/deployment.yaml
@@ -30,6 +30,13 @@ spec:
        - name: data-service
          image: {{ .Values.dataService.image.name }}
          imagePullPolicy: {{ .Values.dataService.image.pullPolicy | default "IfNotPresent" }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: {{ .Values.dataService.profileType | default "RuntimeDefault" }}
+            capabilities:
+              drop:
+                - ALL
          ports:
            - containerPort: 9093
              protocol: TCP

--- a/helm-charts/dbrepo/templates/metadata-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/metadata-service/deployment.yaml
@@ -35,6 +35,8 @@ spec:
            runAsUser: 1000
            runAsGroup: 1000
            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: {{ .Values.metadataService.profileType | default "RuntimeDefault" }}
            capabilities:
              drop:
                - ALL

--- a/helm-charts/dbrepo/templates/search-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/search-service/deployment.yaml
@@ -33,6 +33,8 @@ spec:
          imagePullPolicy: {{ .Values.searchService.image.pullPolicy | default "IfNotPresent" }}
          securityContext:
            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: {{ .Values.metadataService.profileType | default "RuntimeDefault" }}
            capabilities:
              drop:
                - ALL

--- a/helm-charts/dbrepo/templates/ui/deployment.yaml
+++ b/helm-charts/dbrepo/templates/ui/deployment.yaml
@@ -33,6 +33,8 @@ spec:
          imagePullPolicy: {{ .Values.ui.image.pullPolicy | default "IfNotPresent" }}
          securityContext:
            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: {{ .Values.ui.profileType | default "RuntimeDefault" }}
            capabilities:
              drop:
                - ALL

--- a/helm-charts/dbrepo/templates/upload-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/upload-service/deployment.yaml
@@ -33,6 +33,8 @@ spec:
          imagePullPolicy: {{ .Values.uploadService.image.pullPolicy | default "IfNotPresent" }}
          securityContext:
            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: {{ .Values.uploadService.profileType | default "RuntimeDefault" }}
            capabilities:
              drop:
                - ALL

--- a/helm-charts/dbrepo/values.dev.yaml
+++ b/helm-charts/dbrepo/values.dev.yaml
@@ -115,6 +115,12 @@ dataDb:
      securityContext:
        runAsUser: 1001
        runAsGroup: 1001
+        allowPrivilegeEscalation: false
+        seccompProfile:
+          type: RuntimeDefault
+        capabilities:
+          drop:
+            - ALL
      ports:
        - containerPort: 3305
          protocol: TCP
@@ -152,6 +158,10 @@ dataDb:
    size: 10Gi
  replicaCount: 1 # uneven

+dataDbSidecar:
+  persistence:
+    storageClass:
+
 searchdb:
  fullnameOverride: search-db
  host: search-db
@@ -236,6 +246,15 @@ searchDbDashboard:
    - name: init
      image: dbrepo-search-db-init:latest
      imagePullPolicy: Never
+      securityContext:
+        runAsUser: 1001
+        runAsGroup: 1001
+        allowPrivilegeEscalation: false
+        seccompProfile:
+          type: RuntimeDefault
+        capabilities:
+          drop:
+            - ALL
      env:
        - name: OPENSEARCH_HOST
          value: http://search-db:9200

--- a/helm-charts/dbrepo/values.yaml
+++ b/helm-charts/dbrepo/values.yaml
@@ -115,6 +115,12 @@ dataDb:
      securityContext:
        runAsUser: 1001
        runAsGroup: 1001
+        allowPrivilegeEscalation: false
+        seccompProfile:
+          type: RuntimeDefault
+        capabilities:
+          drop:
+            - ALL
      ports:
        - containerPort: 3305
          protocol: TCP
@@ -240,6 +246,15 @@ searchDbDashboard:
    - name: init
      image: s210.dl.hpc.tuwien.ac.at/dbrepo/search-db-init:1.4.2
      imagePullPolicy: Always
+      securityContext:
+        runAsUser: 1001
+        runAsGroup: 1001
+        allowPrivilegeEscalation: false
+        seccompProfile:
+          type: RuntimeDefault
+        capabilities:
+          drop:
+            - ALL
      env:
        - name: OPENSEARCH_HOST
          value: http://search-db:9200