From a4f255ded857d297908595b400bee057a8802306 Mon Sep 17 00:00:00 2001
From: Martin Weise <martin.weise@tuwien.ac.at>
Date: Wed, 3 Jul 2024 10:21:37 +0200
Subject: [PATCH] Added correct securityconfig for openshift
---
dbrepo-ui/Dockerfile | 4 +-
helm/dbrepo/templates/_compatibility.tpl | 42 ++++++
helm/dbrepo/templates/analyse-deployment.yaml | 24 ++--
helm/dbrepo/templates/data-deployment.yaml | 24 ++--
.../dbrepo/templates/metadata-deployment.yaml | 24 ++--
helm/dbrepo/templates/search-deployment.yaml | 24 ++--
helm/dbrepo/templates/ui-deployment.yaml | 21 ++-
helm/dbrepo/values.yaml | 126 ++++++++++++++++++
8 files changed, 215 insertions(+), 74 deletions(-)
create mode 100644 helm/dbrepo/templates/_compatibility.tpl
diff --git a/dbrepo-ui/Dockerfile b/dbrepo-ui/Dockerfile
index 14f1e57c1e..4604261abf 100644
--- a/dbrepo-ui/Dockerfile
+++ b/dbrepo-ui/Dockerfile
@@ -32,11 +32,11 @@ MAINTAINER Martin Weise <martin.weise@tuwien.ac.at>
ARG APP_VERSION="latest"
ARG COMMIT=""
-USER 1000
+USER 65534
WORKDIR /app
-COPY --from=build --chown=1000:1000 /app/.output /app/.output
+COPY --from=build --chown=65534 /app/.output /app/.output
ENV NUXT_PUBLIC_VERSION="${APP_VERSION:-}"
ENV NUXT_PUBLIC_COMMIT="${COMMIT:-}"
diff --git a/helm/dbrepo/templates/_compatibility.tpl b/helm/dbrepo/templates/_compatibility.tpl
new file mode 100644
index 0000000000..6fc2aa8fa4
--- /dev/null
+++ b/helm/dbrepo/templates/_compatibility.tpl
@@ -0,0 +1,42 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return true if the detected platform is Openshift
+Usage:
+{{- include "common.compatibility.isOpenshift" . -}}
+*/}}
+{{- define "common.compatibility.isOpenshift" -}}
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+{{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
+Usage:
+{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
+*/}}
+{{- define "common.compatibility.renderSecurityContext" -}}
+{{- $adaptedContext := .secContext -}}
+
+{{- if (((.context.Values.global).compatibility).openshift) -}}
+ {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}}
+ {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
+ {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
+ {{- if not .secContext.seLinuxOptions -}}
+ {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
+ {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+{{/* Remove fields that are disregarded when running the container in privileged mode */}}
+{{- if $adaptedContext.privileged -}}
+ {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}}
+{{- end -}}
+{{- omit $adaptedContext "enabled" | toYaml -}}
+{{- end -}}
\ No newline at end of file
diff --git a/helm/dbrepo/templates/analyse-deployment.yaml b/helm/dbrepo/templates/analyse-deployment.yaml
index 0cdb067ef7..68d43e9cee 100644
--- a/helm/dbrepo/templates/analyse-deployment.yaml
+++ b/helm/dbrepo/templates/analyse-deployment.yaml
@@ -22,25 +22,16 @@ spec:
app: analyse-service
service: analyse-service
spec:
- securityContext:
- runAsNonRoot: true
- fsGroup: 1001
- runAsUser: 1001
- runAsGroup: 1001
+ {{- if .Values.analyseservice.podSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.analyseservice.podSecurityContext "context" $) | nindent 8 }}
+ {{- end }}
containers:
- name: analyse-service
image: {{ .Values.analyseservice.image.name }}
imagePullPolicy: {{ .Values.analyseservice.image.pullPolicy | default "IfNotPresent" }}
- securityContext:
- allowPrivilegeEscalation: false
- runAsNonRoot: true
- runAsUser: 1001
- runAsGroup: 1001
- seccompProfile:
- type: {{ .Values.analyseservice.profileType | default "RuntimeDefault" }}
- capabilities:
- drop:
- - ALL
+ {{- if .Values.analyseservice.containerSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.analyseservice.containerSecurityContext "context" $) | nindent 12 }}
+ {{- end }}
ports:
- containerPort: 8080
protocol: TCP
@@ -63,4 +54,7 @@ spec:
- "curl -sSL localhost:8080/health | grep 'UP' || exit 1"
initialDelaySeconds: 10
periodSeconds: 30
+ {{- if .Values.analyseservice.resources }}
+ resources: {{- toYaml .Values.analyseservice.resources | nindent 12 }}
+ {{- end }}
{{- end }}
diff --git a/helm/dbrepo/templates/data-deployment.yaml b/helm/dbrepo/templates/data-deployment.yaml
index cb8fda0991..1d9e2352bd 100644
--- a/helm/dbrepo/templates/data-deployment.yaml
+++ b/helm/dbrepo/templates/data-deployment.yaml
@@ -22,25 +22,16 @@ spec:
app: data-service
service: data-service
spec:
- securityContext:
- runAsNonRoot: true
- fsGroup: 65534
- runAsUser: 65534
- runAsGroup: 65534
+ {{- if .Values.dataservice.podSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.dataservice.podSecurityContext "context" $) | nindent 8 }}
+ {{- end }}
containers:
- name: data-service
image: {{ .Values.dataservice.image.name }}
imagePullPolicy: {{ .Values.dataservice.image.pullPolicy | default "IfNotPresent" }}
- securityContext:
- allowPrivilegeEscalation: false
- runAsNonRoot: true
- runAsUser: 65534
- runAsGroup: 65534
- seccompProfile:
- type: {{ .Values.dataservice.profileType | default "RuntimeDefault" }}
- capabilities:
- drop:
- - ALL
+ {{- if .Values.dataservice.containerSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.dataservice.containerSecurityContext "context" $) | nindent 12 }}
+ {{- end }}
ports:
- containerPort: 80
protocol: TCP
@@ -63,6 +54,9 @@ spec:
- "curl -sSL localhost:8080/actuator/health/liveness | grep 'UP' || exit 1"
initialDelaySeconds: 30
periodSeconds: 30
+ {{- if .Values.dataservice.resources }}
+ resources: {{- toYaml .Values.dataservice.resources | nindent 12 }}
+ {{- end }}
volumeMounts: []
volumes: []
{{- end }}
diff --git a/helm/dbrepo/templates/metadata-deployment.yaml b/helm/dbrepo/templates/metadata-deployment.yaml
index 7c78f853e6..4d16efb68b 100644
--- a/helm/dbrepo/templates/metadata-deployment.yaml
+++ b/helm/dbrepo/templates/metadata-deployment.yaml
@@ -22,25 +22,16 @@ spec:
app: metadata-service
service: metadata-service
spec:
- securityContext:
- runAsNonRoot: true
- fsGroup: 65534
- runAsUser: 65534
- runAsGroup: 65534
+ {{- if .Values.metadataservice.podSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metadataservice.podSecurityContext "context" $) | nindent 8 }}
+ {{- end }}
containers:
- name: metadata-service
image: {{ .Values.metadataservice.image.name }}
imagePullPolicy: {{ .Values.metadataservice.image.pullPolicy | default "IfNotPresent" }}
- securityContext:
- allowPrivilegeEscalation: false
- runAsNonRoot: true
- runAsUser: 65534
- runAsGroup: 65534
- seccompProfile:
- type: {{ .Values.metadataservice.profileType | default "RuntimeDefault" }}
- capabilities:
- drop:
- - ALL
+ {{- if .Values.metadataservice.containerSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metadataservice.containerSecurityContext "context" $) | nindent 12 }}
+ {{- end }}
ports:
- containerPort: 80
protocol: TCP
@@ -63,4 +54,7 @@ spec:
- "curl -sSL localhost:8080/actuator/health/liveness | grep 'UP' || exit 1"
initialDelaySeconds: 30
periodSeconds: 30
+ {{- if .Values.metadataservice.resources }}
+ resources: {{- toYaml .Values.metadataservice.resources | nindent 12 }}
+ {{- end }}
{{- end }}
diff --git a/helm/dbrepo/templates/search-deployment.yaml b/helm/dbrepo/templates/search-deployment.yaml
index bd937c6650..6ba54abfca 100644
--- a/helm/dbrepo/templates/search-deployment.yaml
+++ b/helm/dbrepo/templates/search-deployment.yaml
@@ -22,25 +22,16 @@ spec:
app: search-service
service: search-service
spec:
- securityContext:
- runAsNonRoot: true
- fsGroup: 1001
- runAsUser: 1001
- runAsGroup: 1001
+ {{- if .Values.searchservice.podSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.searchservice.podSecurityContext "context" $) | nindent 8 }}
+ {{- end }}
initContainers:
- name: init
image: {{ .Values.searchservice.init.image.name }}
imagePullPolicy: {{ .Values.searchservice.init.image.pullPolicy | default "IfNotPresent" }}
- securityContext:
- allowPrivilegeEscalation: false
- runAsNonRoot: true
- runAsUser: 1001
- runAsGroup: 1001
- seccompProfile:
- type: {{ .Values.searchservice.profileType | default "RuntimeDefault" }}
- capabilities:
- drop:
- - ALL
+ {{- if .Values.searchservice.containerSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.searchservice.containerSecurityContext "context" $) | nindent 12 }}
+ {{- end }}
envFrom:
- secretRef:
name: search-service-secret
@@ -80,6 +71,9 @@ spec:
- "curl -sSL localhost:8080/health | grep 'UP' || exit 1"
initialDelaySeconds: 10
periodSeconds: 30
+ {{- if .Values.searchservice.resources }}
+ resources: {{- toYaml .Values.searchservice.resources | nindent 12 }}
+ {{- end }}
volumeMounts: [ ]
volumes: [ ]
{{- end }}
diff --git a/helm/dbrepo/templates/ui-deployment.yaml b/helm/dbrepo/templates/ui-deployment.yaml
index 3f8c042579..64cea9bf10 100644
--- a/helm/dbrepo/templates/ui-deployment.yaml
+++ b/helm/dbrepo/templates/ui-deployment.yaml
@@ -22,22 +22,16 @@ spec:
app: ui
service: ui
spec:
- securityContext:
- runAsNonRoot: true
- fsGroup: 1000
- runAsUser: 1000
- runAsGroup: 1000
+ {{- if .Values.ui.podSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.ui.podSecurityContext "context" $) | nindent 8 }}
+ {{- end }}
containers:
- name: ui
image: {{ .Values.ui.image.name }}
imagePullPolicy: {{ .Values.ui.image.pullPolicy | default "IfNotPresent" }}
- securityContext:
- allowPrivilegeEscalation: false
- seccompProfile:
- type: {{ .Values.ui.profileType | default "RuntimeDefault" }}
- capabilities:
- drop:
- - ALL
+ {{- if .Values.ui.containerSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.ui.containerSecurityContext "context" $) | nindent 12 }}
+ {{- end }}
ports:
- containerPort: 3000
protocol: TCP
@@ -143,6 +137,9 @@ spec:
port: 3000
initialDelaySeconds: 30
periodSeconds: 30
+ {{- if .Values.ui.resources }}
+ resources: {{- toYaml .Values.ui.resources | nindent 12 }}
+ {{- end }}
volumes:
{{- if .Values.ui.extraVolumes }}
{{- .Values.ui.extraVolumes | toYaml | nindent 8 }}
diff --git a/helm/dbrepo/values.yaml b/helm/dbrepo/values.yaml
index ba86f30cb7..37def836c8 100644
--- a/helm/dbrepo/values.yaml
+++ b/helm/dbrepo/values.yaml
@@ -336,6 +336,32 @@ analyseservice:
pullPolicy: Always
## @param analyseservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: false
+ podSecurityContext:
+ enabled: true
+ fsGroupChangePolicy: Always
+ sysctls: [ ]
+ supplementalGroups: [ ]
+ fsGroup: 1001
+ containerSecurityContext:
+ enabled: true
+ seLinuxOptions: null
+ runAsUser: 1001
+ runAsGroup: 1001
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ capabilities:
+ drop: [ "ALL" ]
+ seccompProfile:
+ type: "RuntimeDefault"
+ resources:
+ requests:
+ cpu: 250m
+ memory: 512Mi
+ limits:
+ cpu: 500m
+ memory: 2048Mi
+
## @param analyseservice.endpoint The url of the endpoint.
endpoint: http://analyse-service
s3:
@@ -356,6 +382,31 @@ metadataservice:
pullPolicy: Always
## @param metadataservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: false
+ podSecurityContext:
+ enabled: true
+ fsGroupChangePolicy: Always
+ sysctls: [ ]
+ supplementalGroups: [ ]
+ fsGroup: 1001
+ containerSecurityContext:
+ enabled: true
+ seLinuxOptions: null
+ runAsUser: 1001
+ runAsGroup: 1001
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ capabilities:
+ drop: [ "ALL" ]
+ seccompProfile:
+ type: "RuntimeDefault"
+ resources:
+ requests:
+ cpu: 250m
+ memory: 512Mi
+ limits:
+ cpu: 1000m
+ memory: 2048Mi
## @param metadataservice.endpoint The Metadata Service endpoint.
endpoint: http://metadata-service
admin:
@@ -410,6 +461,31 @@ dataservice:
pullPolicy: Always
## @param dataservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: false
+ podSecurityContext:
+ enabled: true
+ fsGroupChangePolicy: Always
+ sysctls: [ ]
+ supplementalGroups: [ ]
+ fsGroup: 1001
+ containerSecurityContext:
+ enabled: true
+ seLinuxOptions: null
+ runAsUser: 1001
+ runAsGroup: 1001
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ capabilities:
+ drop: [ "ALL" ]
+ seccompProfile:
+ type: "RuntimeDefault"
+ resources:
+ requests:
+ cpu: 250m
+ memory: 512Mi
+ limits:
+ cpu: 1000m
+ memory: 2048Mi
grant:
## @param dataservice.grant.read The default database permissions for users with read access.
read: SELECT
@@ -465,6 +541,31 @@ searchservice:
pullPolicy: Always
## @param searchservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: false
+ podSecurityContext:
+ enabled: true
+ fsGroupChangePolicy: Always
+ sysctls: [ ]
+ supplementalGroups: [ ]
+ fsGroup: 1001
+ containerSecurityContext:
+ enabled: true
+ seLinuxOptions: null
+ runAsUser: 1001
+ runAsGroup: 1001
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ capabilities:
+ drop: [ "ALL" ]
+ seccompProfile:
+ type: "RuntimeDefault"
+ resources:
+ requests:
+ cpu: 250m
+ memory: 512Mi
+ limits:
+ cpu: 1000m
+ memory: 2048Mi
## @skip searchservice.init
init:
image:
@@ -583,6 +684,31 @@ ui:
pullPolicy: Always
## @param ui.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: false
+ podSecurityContext:
+ enabled: true
+ fsGroupChangePolicy: Always
+ sysctls: [ ]
+ supplementalGroups: [ ]
+ fsGroup: 1000
+ containerSecurityContext:
+ enabled: true
+ seLinuxOptions: null
+ runAsUser: 1000
+ runAsGroup: 1000
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: false
+ capabilities:
+ drop: [ "ALL" ]
+ seccompProfile:
+ type: "RuntimeDefault"
+ resources:
+ requests:
+ cpu: 250m
+ memory: 512Mi
+ limits:
+ cpu: 1000m
+ memory: 2048Mi
public:
api:
## @param ui.public.api.client The endpoint for the client api.
--
GitLab