From a04b05be496168dc9986749201c7194f407d0f58 Mon Sep 17 00:00:00 2001
From: Martin Weise <martin.weise@tuwien.ac.at>
Date: Tue, 9 Apr 2024 14:28:47 +0200
Subject: [PATCH] Security improvements

---
 helm-charts/dbrepo/.helmignore                |  6 +++---
 .../templates/analyse-service/deployment.yaml |  2 ++
 .../templates/data-service/deployment.yaml    |  7 +++++++
 .../metadata-service/deployment.yaml          |  2 ++
 .../templates/search-service/deployment.yaml  |  2 ++
 .../dbrepo/templates/ui/deployment.yaml       |  2 ++
 .../templates/upload-service/deployment.yaml  |  2 ++
 helm-charts/dbrepo/values.dev.yaml            | 19 +++++++++++++++++++
 helm-charts/dbrepo/values.yaml                | 15 +++++++++++++++
 9 files changed, 54 insertions(+), 3 deletions(-)

diff --git a/helm-charts/dbrepo/.helmignore b/helm-charts/dbrepo/.helmignore
index 671ca33f54..5e1b504358 100644
--- a/helm-charts/dbrepo/.helmignore
+++ b/helm-charts/dbrepo/.helmignore
@@ -1,8 +1,8 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
 # Dev
 values.dev.yaml
+Chart.tpl.yaml
+hack/
+# MacOS
 .DS_Store
 # Common VCS dirs
 .git/
diff --git a/helm-charts/dbrepo/templates/analyse-service/deployment.yaml b/helm-charts/dbrepo/templates/analyse-service/deployment.yaml
index 1a4bef34d6..7806c08538 100644
--- a/helm-charts/dbrepo/templates/analyse-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/analyse-service/deployment.yaml
@@ -33,6 +33,8 @@ spec:
           imagePullPolicy: {{ .Values.analyseService.image.pullPolicy | default "IfNotPresent" }}
           securityContext:
             allowPrivilegeEscalation: false
+            seccompProfile:
+              type: {{ .Values.analyseService.profileType | default "RuntimeDefault" }}
             capabilities:
               drop:
                 - ALL
diff --git a/helm-charts/dbrepo/templates/data-service/deployment.yaml b/helm-charts/dbrepo/templates/data-service/deployment.yaml
index ed2317b588..d290826cc2 100644
--- a/helm-charts/dbrepo/templates/data-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/data-service/deployment.yaml
@@ -30,6 +30,13 @@ spec:
         - name: data-service
           image: {{ .Values.dataService.image.name }}
           imagePullPolicy: {{ .Values.dataService.image.pullPolicy | default "IfNotPresent" }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: {{ .Values.dataService.profileType | default "RuntimeDefault" }}
+            capabilities:
+              drop:
+                - ALL
           ports:
             - containerPort: 9093
               protocol: TCP
diff --git a/helm-charts/dbrepo/templates/metadata-service/deployment.yaml b/helm-charts/dbrepo/templates/metadata-service/deployment.yaml
index 3f5a9798a7..f638c6984e 100644
--- a/helm-charts/dbrepo/templates/metadata-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/metadata-service/deployment.yaml
@@ -35,6 +35,8 @@ spec:
             runAsUser: 1000
             runAsGroup: 1000
             allowPrivilegeEscalation: false
+            seccompProfile:
+              type: {{ .Values.metadataService.profileType | default "RuntimeDefault" }}
             capabilities:
               drop:
                 - ALL
diff --git a/helm-charts/dbrepo/templates/search-service/deployment.yaml b/helm-charts/dbrepo/templates/search-service/deployment.yaml
index 165f6809b6..c2cead7f85 100644
--- a/helm-charts/dbrepo/templates/search-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/search-service/deployment.yaml
@@ -33,6 +33,8 @@ spec:
           imagePullPolicy: {{ .Values.searchService.image.pullPolicy | default "IfNotPresent" }}
           securityContext:
             allowPrivilegeEscalation: false
+            seccompProfile:
+              type: {{ .Values.metadataService.profileType | default "RuntimeDefault" }}
             capabilities:
               drop:
                 - ALL
diff --git a/helm-charts/dbrepo/templates/ui/deployment.yaml b/helm-charts/dbrepo/templates/ui/deployment.yaml
index 975185e4cc..3cd5e4e0fc 100644
--- a/helm-charts/dbrepo/templates/ui/deployment.yaml
+++ b/helm-charts/dbrepo/templates/ui/deployment.yaml
@@ -33,6 +33,8 @@ spec:
           imagePullPolicy: {{ .Values.ui.image.pullPolicy | default "IfNotPresent" }}
           securityContext:
             allowPrivilegeEscalation: false
+            seccompProfile:
+              type: {{ .Values.ui.profileType | default "RuntimeDefault" }}
             capabilities:
               drop:
                 - ALL
diff --git a/helm-charts/dbrepo/templates/upload-service/deployment.yaml b/helm-charts/dbrepo/templates/upload-service/deployment.yaml
index 20fbb6b4ef..fd4e767dca 100644
--- a/helm-charts/dbrepo/templates/upload-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/upload-service/deployment.yaml
@@ -33,6 +33,8 @@ spec:
           imagePullPolicy: {{ .Values.uploadService.image.pullPolicy | default "IfNotPresent" }}
           securityContext:
             allowPrivilegeEscalation: false
+            seccompProfile:
+              type: {{ .Values.uploadService.profileType | default "RuntimeDefault" }}
             capabilities:
               drop:
                 - ALL
diff --git a/helm-charts/dbrepo/values.dev.yaml b/helm-charts/dbrepo/values.dev.yaml
index c3d8409534..95f4e14530 100644
--- a/helm-charts/dbrepo/values.dev.yaml
+++ b/helm-charts/dbrepo/values.dev.yaml
@@ -115,6 +115,12 @@ dataDb:
       securityContext:
         runAsUser: 1001
         runAsGroup: 1001
+        allowPrivilegeEscalation: false
+        seccompProfile:
+          type: RuntimeDefault
+        capabilities:
+          drop:
+            - ALL
       ports:
         - containerPort: 3305
           protocol: TCP
@@ -152,6 +158,10 @@ dataDb:
     size: 10Gi
   replicaCount: 1 # uneven
 
+dataDbSidecar:
+  persistence:
+    storageClass:
+
 searchdb:
   fullnameOverride: search-db
   host: search-db
@@ -236,6 +246,15 @@ searchDbDashboard:
     - name: init
       image: dbrepo-search-db-init:latest
       imagePullPolicy: Never
+      securityContext:
+        runAsUser: 1001
+        runAsGroup: 1001
+        allowPrivilegeEscalation: false
+        seccompProfile:
+          type: RuntimeDefault
+        capabilities:
+          drop:
+            - ALL
       env:
         - name: OPENSEARCH_HOST
           value: http://search-db:9200
diff --git a/helm-charts/dbrepo/values.yaml b/helm-charts/dbrepo/values.yaml
index e2d28a8bba..655e158af7 100644
--- a/helm-charts/dbrepo/values.yaml
+++ b/helm-charts/dbrepo/values.yaml
@@ -115,6 +115,12 @@ dataDb:
       securityContext:
         runAsUser: 1001
         runAsGroup: 1001
+        allowPrivilegeEscalation: false
+        seccompProfile:
+          type: RuntimeDefault
+        capabilities:
+          drop:
+            - ALL
       ports:
         - containerPort: 3305
           protocol: TCP
@@ -240,6 +246,15 @@ searchDbDashboard:
     - name: init
       image: s210.dl.hpc.tuwien.ac.at/dbrepo/search-db-init:1.4.2
       imagePullPolicy: Always
+      securityContext:
+        runAsUser: 1001
+        runAsGroup: 1001
+        allowPrivilegeEscalation: false
+        seccompProfile:
+          type: RuntimeDefault
+        capabilities:
+          drop:
+            - ALL
       env:
         - name: OPENSEARCH_HOST
           value: http://search-db:9200
-- 
GitLab