Fixed privilege escalation policies and shared volume storage class

c724d5ca · Martin Weise · 5a3da104 · c724d5ca · c724d5ca · c724d5ca
Verified Commit c724d5ca authored 1 year ago by Martin Weise
--- a/helm-charts/dbrepo/templates/analyse-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/analyse-service/deployment.yaml
@@ -31,6 +31,11 @@ spec:
        - name: analyse-service
          image: {{ .Values.analyseService.image.name }}
          imagePullPolicy: {{ .Values.analyseService.image.pullPolicy | default "IfNotPresent" }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
          ports:
            - containerPort: 5000
              protocol: TCP

--- a/helm-charts/dbrepo/templates/data-db/pvc.yaml
+++ b/helm-charts/dbrepo/templates/data-db/pvc.yaml
@@ -3,7 +3,9 @@ kind: PersistentVolumeClaim
 metadata:
  name: data-db-shared
 spec:
+  {{- if .Values.dataDbSidecar.persistence.storageClass }}
  storageClassName: {{ .Values.dataDbSidecar.persistence.storageClass }}
+  {{- end }}
  accessModes:
    - ReadWriteMany
  resources:

--- a/helm-charts/dbrepo/templates/metadata-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/metadata-service/deployment.yaml
@@ -34,6 +34,10 @@ spec:
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
          ports:
            - containerPort: 9099
              protocol: TCP

--- a/helm-charts/dbrepo/templates/search-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/search-service/deployment.yaml
@@ -31,6 +31,11 @@ spec:
        - name: search-service
          image: {{ .Values.searchService.image.name }}
          imagePullPolicy: {{ .Values.searchService.image.pullPolicy | default "IfNotPresent" }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
          ports:
            - containerPort: 4000
              protocol: TCP

--- a/helm-charts/dbrepo/templates/ui/deployment.yaml
+++ b/helm-charts/dbrepo/templates/ui/deployment.yaml
@@ -31,6 +31,11 @@ spec:
        - name: ui
          image: {{ .Values.ui.image.name }}
          imagePullPolicy: {{ .Values.ui.image.pullPolicy | default "IfNotPresent" }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
          ports:
            - containerPort: 3000
              protocol: TCP

--- a/helm-charts/dbrepo/templates/upload-service/deployment.yaml
+++ b/helm-charts/dbrepo/templates/upload-service/deployment.yaml
@@ -31,6 +31,11 @@ spec:
        - name: upload-service
          image: {{ printf "%s/%s:%s" .Values.uploadService.image.registry .Values.uploadService.image.repository .Values.uploadService.image.tag }}
          imagePullPolicy: {{ .Values.uploadService.image.pullPolicy | default "IfNotPresent" }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
          env:
            - name: AWS_ACCESS_KEY_ID
              valueFrom:

--- a/helm-charts/dbrepo/values.yaml
+++ b/helm-charts/dbrepo/values.yaml
@@ -154,7 +154,7 @@ dataDb:

 dataDbSidecar:
  persistence:
-    storageClass: ""
+    storageClass:

 searchdb:
  fullnameOverride: search-db