Added correct securityconfig for openshift

dbrepo-ui/Dockerfile

@@ -32,11 +32,11 @@ MAINTAINER Martin Weise <martin.weise@tuwien.ac.at>
 ARG APP_VERSION="latest"
 ARG COMMIT=""
 
-USER 1000
+USER 65534
 
 WORKDIR /app
 
-COPY --from=build --chown=1000:1000 /app/.output /app/.output
+COPY --from=build --chown=65534 /app/.output /app/.output
 
 ENV NUXT_PUBLIC_VERSION="${APP_VERSION:-}"
 ENV NUXT_PUBLIC_COMMIT="${COMMIT:-}"

helm/dbrepo/templates/_compatibility.tpl

+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return true if the detected platform is Openshift
+Usage:
+{{- include "common.compatibility.isOpenshift" . -}}
+*/}}
+{{- define "common.compatibility.isOpenshift" -}}
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+{{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
+Usage:
+{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
+*/}}
+{{- define "common.compatibility.renderSecurityContext" -}}
+{{- $adaptedContext := .secContext -}}
+
+{{- if (((.context.Values.global).compatibility).openshift) -}}
+  {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}}
+    {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
+    {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
+    {{- if not .secContext.seLinuxOptions -}}
+    {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
+    {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{/* Remove fields that are disregarded when running the container in privileged mode */}}
+{{- if $adaptedContext.privileged -}}
+  {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}}
+{{- end -}}
+{{- omit $adaptedContext "enabled" | toYaml -}}
+{{- end -}}
\ No newline at end of file

helm/dbrepo/templates/analyse-deployment.yaml

@@ -22,25 +22,16 @@ spec:
         app: analyse-service
         service: analyse-service
     spec:
-      securityContext:
-        runAsNonRoot: true
-        fsGroup: 1001
-        runAsUser: 1001
-        runAsGroup: 1001
+      {{- if .Values.analyseservice.podSecurityContext.enabled }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.analyseservice.podSecurityContext "context" $) | nindent 8 }}
+      {{- end }}
       containers:
         - name: analyse-service
           image: {{ .Values.analyseservice.image.name }}
           imagePullPolicy: {{ .Values.analyseservice.image.pullPolicy | default "IfNotPresent" }}
-          securityContext:
-            allowPrivilegeEscalation: false
-            runAsNonRoot: true
-            runAsUser: 1001
-            runAsGroup: 1001
-            seccompProfile:
-              type: {{ .Values.analyseservice.profileType | default "RuntimeDefault" }}
-            capabilities:
-              drop:
-                - ALL
+          {{- if .Values.analyseservice.containerSecurityContext.enabled }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.analyseservice.containerSecurityContext "context" $) | nindent 12 }}
+          {{- end }}
           ports:
             - containerPort: 8080
               protocol: TCP
@@ -63,4 +54,7 @@ spec:
                 - "curl -sSL localhost:8080/health | grep 'UP' || exit 1"
             initialDelaySeconds: 10
             periodSeconds: 30
+          {{- if .Values.analyseservice.resources }}
+          resources: {{- toYaml .Values.analyseservice.resources | nindent 12 }}
+          {{- end }}
 {{- end }}

helm/dbrepo/templates/data-deployment.yaml

@@ -22,25 +22,16 @@ spec:
         app: data-service
         service: data-service
     spec:
-      securityContext:
-        runAsNonRoot: true
-        fsGroup: 65534
-        runAsUser: 65534
-        runAsGroup: 65534
+      {{- if .Values.dataservice.podSecurityContext.enabled }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.dataservice.podSecurityContext "context" $) | nindent 8 }}
+      {{- end }}
       containers:
         - name: data-service
           image: {{ .Values.dataservice.image.name }}
           imagePullPolicy: {{ .Values.dataservice.image.pullPolicy | default "IfNotPresent" }}
-          securityContext:
-            allowPrivilegeEscalation: false
-            runAsNonRoot: true
-            runAsUser: 65534
-            runAsGroup: 65534
-            seccompProfile:
-              type: {{ .Values.dataservice.profileType | default "RuntimeDefault" }}
-            capabilities:
-              drop:
-                - ALL
+          {{- if .Values.dataservice.containerSecurityContext.enabled }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.dataservice.containerSecurityContext "context" $) | nindent 12 }}
+          {{- end }}
           ports:
             - containerPort: 80
               protocol: TCP
@@ -63,6 +54,9 @@ spec:
                 - "curl -sSL localhost:8080/actuator/health/liveness | grep 'UP' || exit 1"
             initialDelaySeconds: 30
             periodSeconds: 30
+          {{- if .Values.dataservice.resources }}
+          resources: {{- toYaml .Values.dataservice.resources | nindent 12 }}
+          {{- end }}
           volumeMounts: []
       volumes: []
 {{- end }}

helm/dbrepo/templates/metadata-deployment.yaml

@@ -22,25 +22,16 @@ spec:
         app: metadata-service
         service: metadata-service
     spec:
-      securityContext:
-        runAsNonRoot: true
-        fsGroup: 65534
-        runAsUser: 65534
-        runAsGroup: 65534
+      {{- if .Values.metadataservice.podSecurityContext.enabled }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metadataservice.podSecurityContext "context" $) | nindent 8 }}
+      {{- end }}
       containers:
         - name: metadata-service
           image: {{ .Values.metadataservice.image.name }}
           imagePullPolicy: {{ .Values.metadataservice.image.pullPolicy | default "IfNotPresent" }}
-          securityContext:
-            allowPrivilegeEscalation: false
-            runAsNonRoot: true
-            runAsUser: 65534
-            runAsGroup: 65534
-            seccompProfile:
-              type: {{ .Values.metadataservice.profileType | default "RuntimeDefault" }}
-            capabilities:
-              drop:
-                - ALL
+          {{- if .Values.metadataservice.containerSecurityContext.enabled }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metadataservice.containerSecurityContext "context" $) | nindent 12 }}
+          {{- end }}
           ports:
             - containerPort: 80
               protocol: TCP
@@ -63,4 +54,7 @@ spec:
                 - "curl -sSL localhost:8080/actuator/health/liveness | grep 'UP' || exit 1"
             initialDelaySeconds: 30
             periodSeconds: 30
+          {{- if .Values.metadataservice.resources }}
+          resources: {{- toYaml .Values.metadataservice.resources | nindent 12 }}
+          {{- end }}
 {{- end }}

helm/dbrepo/templates/search-deployment.yaml

@@ -22,25 +22,16 @@ spec:
         app: search-service
         service: search-service
     spec:
-      securityContext:
-        runAsNonRoot: true
-        fsGroup: 1001
-        runAsUser: 1001
-        runAsGroup: 1001
+      {{- if .Values.searchservice.podSecurityContext.enabled }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.searchservice.podSecurityContext "context" $) | nindent 8 }}
+      {{- end }}
       initContainers:
         - name: init
           image: {{ .Values.searchservice.init.image.name }}
           imagePullPolicy: {{ .Values.searchservice.init.image.pullPolicy | default "IfNotPresent" }}
-          securityContext:
-            allowPrivilegeEscalation: false
-            runAsNonRoot: true
-            runAsUser: 1001
-            runAsGroup: 1001
-            seccompProfile:
-              type: {{ .Values.searchservice.profileType | default "RuntimeDefault" }}
-            capabilities:
-              drop:
-                - ALL
+          {{- if .Values.searchservice.containerSecurityContext.enabled }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.searchservice.containerSecurityContext "context" $) | nindent 12 }}
+          {{- end }}
           envFrom:
             - secretRef:
                 name: search-service-secret
@@ -80,6 +71,9 @@ spec:
                 - "curl -sSL localhost:8080/health | grep 'UP' || exit 1"
             initialDelaySeconds: 10
             periodSeconds: 30
+          {{- if .Values.searchservice.resources }}
+          resources: {{- toYaml .Values.searchservice.resources | nindent 12 }}
+          {{- end }}
           volumeMounts: [ ]
       volumes: [ ]
 {{- end }}

helm/dbrepo/templates/ui-deployment.yaml

@@ -22,22 +22,16 @@ spec:
         app: ui
         service: ui
     spec:
-      securityContext:
-        runAsNonRoot: true
-        fsGroup: 1000
-        runAsUser: 1000
-        runAsGroup: 1000
+      {{- if .Values.ui.podSecurityContext.enabled }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.ui.podSecurityContext "context" $) | nindent 8 }}
+      {{- end }}
       containers:
         - name: ui
           image: {{ .Values.ui.image.name }}
           imagePullPolicy: {{ .Values.ui.image.pullPolicy | default "IfNotPresent" }}
-          securityContext:
-            allowPrivilegeEscalation: false
-            seccompProfile:
-              type: {{ .Values.ui.profileType | default "RuntimeDefault" }}
-            capabilities:
-              drop:
-                - ALL
+          {{- if .Values.ui.containerSecurityContext.enabled }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.ui.containerSecurityContext "context" $) | nindent 12 }}
+          {{- end }}
           ports:
             - containerPort: 3000
               protocol: TCP
@@ -143,6 +137,9 @@ spec:
               port: 3000
             initialDelaySeconds: 30
             periodSeconds: 30
+          {{- if .Values.ui.resources }}
+          resources: {{- toYaml .Values.ui.resources | nindent 12 }}
+          {{- end }}
       volumes:
         {{- if .Values.ui.extraVolumes }}
         {{- .Values.ui.extraVolumes | toYaml | nindent 8 }}

helm/dbrepo/values.yaml

@@ -336,6 +336,32 @@ analyseservice:
     pullPolicy: Always
     ## @param analyseservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
     debug: false
+  podSecurityContext:
+    enabled: true
+    fsGroupChangePolicy: Always
+    sysctls: [ ]
+    supplementalGroups: [ ]
+    fsGroup: 1001
+  containerSecurityContext:
+    enabled: true
+    seLinuxOptions: null
+    runAsUser: 1001
+    runAsGroup: 1001
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: false
+    capabilities:
+      drop: [ "ALL" ]
+    seccompProfile:
+      type: "RuntimeDefault"
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: 500m
+      memory: 2048Mi
+
   ## @param analyseservice.endpoint The url of the endpoint.
   endpoint: http://analyse-service
   s3:
@@ -356,6 +382,31 @@ metadataservice:
     pullPolicy: Always
     ## @param metadataservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
     debug: false
+  podSecurityContext:
+    enabled: true
+    fsGroupChangePolicy: Always
+    sysctls: [ ]
+    supplementalGroups: [ ]
+    fsGroup: 1001
+  containerSecurityContext:
+    enabled: true
+    seLinuxOptions: null
+    runAsUser: 1001
+    runAsGroup: 1001
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: false
+    capabilities:
+      drop: [ "ALL" ]
+    seccompProfile:
+      type: "RuntimeDefault"
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: 1000m
+      memory: 2048Mi
   ## @param metadataservice.endpoint The Metadata Service endpoint.
   endpoint: http://metadata-service
   admin:
@@ -410,6 +461,31 @@ dataservice:
     pullPolicy: Always
     ## @param dataservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
     debug: false
+  podSecurityContext:
+    enabled: true
+    fsGroupChangePolicy: Always
+    sysctls: [ ]
+    supplementalGroups: [ ]
+    fsGroup: 1001
+  containerSecurityContext:
+    enabled: true
+    seLinuxOptions: null
+    runAsUser: 1001
+    runAsGroup: 1001
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: false
+    capabilities:
+      drop: [ "ALL" ]
+    seccompProfile:
+      type: "RuntimeDefault"
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: 1000m
+      memory: 2048Mi
   grant:
     ## @param dataservice.grant.read The default database permissions for users with read access.
     read: SELECT
@@ -465,6 +541,31 @@ searchservice:
     pullPolicy: Always
     ## @param searchservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
     debug: false
+  podSecurityContext:
+    enabled: true
+    fsGroupChangePolicy: Always
+    sysctls: [ ]
+    supplementalGroups: [ ]
+    fsGroup: 1001
+  containerSecurityContext:
+    enabled: true
+    seLinuxOptions: null
+    runAsUser: 1001
+    runAsGroup: 1001
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop: [ "ALL" ]
+    seccompProfile:
+      type: "RuntimeDefault"
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: 1000m
+      memory: 2048Mi
   ## @skip searchservice.init
   init:
     image:
@@ -583,6 +684,31 @@ ui:
     pullPolicy: Always
     ## @param ui.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
     debug: false
+  podSecurityContext:
+    enabled: true
+    fsGroupChangePolicy: Always
+    sysctls: [ ]
+    supplementalGroups: [ ]
+    fsGroup: 1000
+  containerSecurityContext:
+    enabled: true
+    seLinuxOptions: null
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: false
+    capabilities:
+      drop: [ "ALL" ]
+    seccompProfile:
+      type: "RuntimeDefault"
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: 1000m
+      memory: 2048Mi
   public:
     api:
       ## @param ui.public.api.client The endpoint for the client api.