From c724d5caa5636745bf64a32ca067df81ead4aa24 Mon Sep 17 00:00:00 2001
From: Martin Weise <martin.weise@tuwien.ac.at>
Date: Tue, 9 Apr 2024 12:40:43 +0200
Subject: [PATCH] Fixed privilege escalation policies and shared volume storage
 class

---
 .../dbrepo/templates/analyse-service/deployment.yaml     | 5 +++++
 helm-charts/dbrepo/templates/data-db/pvc.yaml            | 2 ++
 .../dbrepo/templates/metadata-service/deployment.yaml    | 4 ++++
 .../dbrepo/templates/search-service/deployment.yaml      | 9 +++++++--
 helm-charts/dbrepo/templates/ui/deployment.yaml          | 5 +++++
 .../dbrepo/templates/upload-service/deployment.yaml      | 5 +++++
 helm-charts/dbrepo/values.yaml                           | 2 +-
 7 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/helm-charts/dbrepo/templates/analyse-service/deployment.yaml b/helm-charts/dbrepo/templates/analyse-service/deployment.yaml
index c15d67377f..1a4bef34d6 100644
--- a/helm-charts/dbrepo/templates/analyse-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/analyse-service/deployment.yaml
@@ -31,6 +31,11 @@ spec:
         - name: analyse-service
           image: {{ .Values.analyseService.image.name }}
           imagePullPolicy: {{ .Values.analyseService.image.pullPolicy | default "IfNotPresent" }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
           ports:
             - containerPort: 5000
               protocol: TCP
diff --git a/helm-charts/dbrepo/templates/data-db/pvc.yaml b/helm-charts/dbrepo/templates/data-db/pvc.yaml
index ef89c2ad56..dd0dc69aea 100644
--- a/helm-charts/dbrepo/templates/data-db/pvc.yaml
+++ b/helm-charts/dbrepo/templates/data-db/pvc.yaml
@@ -3,7 +3,9 @@ kind: PersistentVolumeClaim
 metadata:
   name: data-db-shared
 spec:
+  {{- if .Values.dataDbSidecar.persistence.storageClass }}
   storageClassName: {{ .Values.dataDbSidecar.persistence.storageClass }}
+  {{- end }}
   accessModes:
     - ReadWriteMany
   resources:
diff --git a/helm-charts/dbrepo/templates/metadata-service/deployment.yaml b/helm-charts/dbrepo/templates/metadata-service/deployment.yaml
index 6dfab3ed21..3f5a9798a7 100644
--- a/helm-charts/dbrepo/templates/metadata-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/metadata-service/deployment.yaml
@@ -34,6 +34,10 @@ spec:
           securityContext:
             runAsUser: 1000
             runAsGroup: 1000
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
           ports:
             - containerPort: 9099
               protocol: TCP
diff --git a/helm-charts/dbrepo/templates/search-service/deployment.yaml b/helm-charts/dbrepo/templates/search-service/deployment.yaml
index 30a0441b15..165f6809b6 100644
--- a/helm-charts/dbrepo/templates/search-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/search-service/deployment.yaml
@@ -31,6 +31,11 @@ spec:
         - name: search-service
           image: {{ .Values.searchService.image.name }}
           imagePullPolicy: {{ .Values.searchService.image.pullPolicy | default "IfNotPresent" }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
           ports:
             - containerPort: 4000
               protocol: TCP
@@ -76,6 +81,6 @@ spec:
                 - "curl -sSL localhost:4000/health | grep 'UP' || exit 1"
             initialDelaySeconds: 10
             periodSeconds: 30
-          volumeMounts: []
-      volumes: []
+          volumeMounts: [ ]
+      volumes: [ ]
 {{- end }}
diff --git a/helm-charts/dbrepo/templates/ui/deployment.yaml b/helm-charts/dbrepo/templates/ui/deployment.yaml
index 47a0217ad5..975185e4cc 100644
--- a/helm-charts/dbrepo/templates/ui/deployment.yaml
+++ b/helm-charts/dbrepo/templates/ui/deployment.yaml
@@ -31,6 +31,11 @@ spec:
         - name: ui
           image: {{ .Values.ui.image.name }}
           imagePullPolicy: {{ .Values.ui.image.pullPolicy | default "IfNotPresent" }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
           ports:
             - containerPort: 3000
               protocol: TCP
diff --git a/helm-charts/dbrepo/templates/upload-service/deployment.yaml b/helm-charts/dbrepo/templates/upload-service/deployment.yaml
index d9e30c0893..20fbb6b4ef 100644
--- a/helm-charts/dbrepo/templates/upload-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/upload-service/deployment.yaml
@@ -31,6 +31,11 @@ spec:
         - name: upload-service
           image: {{ printf "%s/%s:%s" .Values.uploadService.image.registry .Values.uploadService.image.repository .Values.uploadService.image.tag }}
           imagePullPolicy: {{ .Values.uploadService.image.pullPolicy | default "IfNotPresent" }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
           env:
             - name: AWS_ACCESS_KEY_ID
               valueFrom:
diff --git a/helm-charts/dbrepo/values.yaml b/helm-charts/dbrepo/values.yaml
index 4379910ee8..e2d28a8bba 100644
--- a/helm-charts/dbrepo/values.yaml
+++ b/helm-charts/dbrepo/values.yaml
@@ -154,7 +154,7 @@ dataDb:
 
 dataDbSidecar:
   persistence:
-    storageClass: ""
+    storageClass:
 
 searchdb:
   fullnameOverride: search-db
-- 
GitLab