From c0baafedb987e1ff342dfc76e46a4b9bc06e4c2f Mon Sep 17 00:00:00 2001 From: Kajot-dev Date: Fri, 22 Dec 2023 18:16:43 +0100 Subject: [PATCH] Add option to configure securityContext on both pods and containers Signed-off-by: Kajot-dev --- templates/core/core-dpl.yaml | 9 +- templates/core/core-pre-upgrade-job.yaml | 11 ++- templates/database/database-ss.yaml | 12 ++- templates/exporter/exporter-dpl.yaml | 9 +- templates/jobservice/jobservice-dpl.yaml | 9 +- templates/nginx/deployment.yaml | 9 +- templates/portal/deployment.yaml | 11 ++- templates/redis/statefulset.yaml | 9 +- templates/registry/registry-dpl.yaml | 13 ++- templates/trivy/trivy-sts.yaml | 9 +- values.yaml | 107 ++++++++++++++++++++--- 11 files changed, 162 insertions(+), 46 deletions(-) diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index 9a92b45a4..052e38cb0 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -33,9 +33,9 @@ spec: {{ toYaml .Values.core.podAnnotations | indent 8 }} {{- end }} spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 + {{- if not (empty .Values.core.podSecurityContext) }} + securityContext: {{ .Values.core.podSecurityContext | toYaml | nindent 8 }} + {{- end }} {{- if .Values.core.serviceAccountName }} serviceAccountName: {{ .Values.core.serviceAccountName }} {{- end -}} @@ -146,6 +146,9 @@ spec: {{- end }} ports: - containerPort: {{ template "harbor.core.containerPort" . }} + {{- if not (empty .Values.core.containerSecurityContext) }} + securityContext: {{ .Values.core.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} volumeMounts: - name: config mountPath: /etc/core/app.conf diff --git a/templates/core/core-pre-upgrade-job.yaml b/templates/core/core-pre-upgrade-job.yaml index 43c9d3596..da2effd41 100644 --- a/templates/core/core-pre-upgrade-job.yaml +++ b/templates/core/core-pre-upgrade-job.yaml @@ -19,9 +19,9 @@ spec: component: migrator spec: restartPolicy: Never - securityContext: - runAsUser: 10000 - fsGroup: 10000 + {{- if not (empty .Values.core.podSecurityContext) }} + securityContext: {{ .Values.core.podSecurityContext | toYaml | nindent 8 }} + {{- end }} {{- if .Values.core.serviceAccountName }} serviceAccountName: {{ .Values.core.serviceAccountName }} {{- end -}} @@ -47,7 +47,10 @@ spec: secretKeyRef: name: {{ .Values.database.external.existingSecret }} key: password - {{- end }} + {{- end }} + {{- if not (empty .Values.core.containerSecurityContext) }} + securityContext: {{ .Values.core.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} volumeMounts: - name: config mountPath: /etc/core/app.conf diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml index 3b08b07ef..54fa3f81d 100644 --- a/templates/database/database-ss.yaml +++ b/templates/database/database-ss.yaml @@ -28,9 +28,9 @@ spec: {{ toYaml .Values.database.podAnnotations | indent 8 }} {{- end }} spec: - securityContext: - runAsUser: 999 - fsGroup: 999 + {{- if not (empty .Values.database.internal.podSecurityContext) }} + securityContext: {{ .Values.database.internal.podSecurityContext | toYaml | nindent 8 }} + {{- end }} {{- if .Values.database.internal.serviceAccountName }} serviceAccountName: {{ .Values.database.internal.serviceAccountName }} {{- end -}} @@ -54,6 +54,9 @@ spec: resources: {{ toYaml .Values.database.internal.initContainer.migrator.resources | indent 10 }} {{- end }} + {{- if not (empty .Values.database.internal.initContainer.migrator.containerSecurityContext) }} + securityContext: {{ .Values.database.internal.initContainer.migrator.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} volumeMounts: - name: database-data mountPath: /var/lib/postgresql/data @@ -71,6 +74,9 @@ spec: resources: {{ toYaml .Values.database.internal.initContainer.permissions.resources | indent 10 }} {{- end }} + {{- if not (empty .Values.database.internal.initContainer.permissions.containerSecurityContext) }} + securityContext: {{ .Values.database.internal.initContainer.permissions.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} volumeMounts: - name: database-data mountPath: /var/lib/postgresql/data diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml index 6d2e1f53a..0205da617 100644 --- a/templates/exporter/exporter-dpl.yaml +++ b/templates/exporter/exporter-dpl.yaml @@ -31,9 +31,9 @@ spec: {{ toYaml .Values.exporter.podAnnotations | indent 8 }} {{- end }} spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 + {{- if not (empty .Values.exporter.podSecurityContext) }} + securityContext: {{ .Values.exporter.podSecurityContext | toYaml | nindent 8 }} + {{- end }} {{- if .Values.exporter.serviceAccountName }} serviceAccountName: {{ .Values.exporter.serviceAccountName }} {{- end -}} @@ -99,6 +99,9 @@ spec: {{- end }} ports: - containerPort: {{ template "harbor.core.containerPort" . }} + {{- if not (empty .Values.exporter.containerSecurityContext ) }} + securityContext: {{ .Values.exporter.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} volumeMounts: {{- if .Values.caBundleSecretName }} {{ include "harbor.caBundleVolumeMount" . | indent 8 }} diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml index e39e77e6e..2a6523779 100644 --- a/templates/jobservice/jobservice-dpl.yaml +++ b/templates/jobservice/jobservice-dpl.yaml @@ -39,9 +39,9 @@ spec: {{ toYaml .Values.jobservice.podAnnotations | indent 8 }} {{- end }} spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 + {{- if not (empty .Values.jobservice.podSecurityContext) }} + securityContext: {{ .Values.jobservice.podSecurityContext | toYaml | nindent 8 }} + {{- end }} {{- if .Values.jobservice.serviceAccountName }} serviceAccountName: {{ .Values.jobservice.serviceAccountName }} {{- end -}} @@ -123,6 +123,9 @@ spec: name: "{{ template "harbor.jobservice" . }}" ports: - containerPort: {{ template "harbor.jobservice.containerPort" . }} + {{- if not (empty .Values.jobservice.containerSecurityContext) }} + securityContext: {{ .Values.jobservice.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} volumeMounts: - name: jobservice-config mountPath: /etc/jobservice/config.yml diff --git a/templates/nginx/deployment.yaml b/templates/nginx/deployment.yaml index 8290d497b..833e172a2 100644 --- a/templates/nginx/deployment.yaml +++ b/templates/nginx/deployment.yaml @@ -37,9 +37,9 @@ spec: {{- if .Values.nginx.serviceAccountName }} serviceAccountName: {{ .Values.nginx.serviceAccountName }} {{- end }} - securityContext: - runAsUser: 10000 - fsGroup: 10000 + {{- if not (empty .Values.nginx.podSecurityContext) }} + securityContext: {{ .Values.nginx.podSecurityContext | toYaml | nindent 8 }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -91,6 +91,9 @@ spec: - containerPort: 8080 - containerPort: 8443 - containerPort: 4443 + {{- if not (empty .Values.nginx.containerSecurityContext) }} + securityContext: {{ .Values.nginx.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} volumeMounts: - name: config mountPath: /etc/nginx/nginx.conf diff --git a/templates/portal/deployment.yaml b/templates/portal/deployment.yaml index 959a3fd7b..e56e2833c 100644 --- a/templates/portal/deployment.yaml +++ b/templates/portal/deployment.yaml @@ -26,14 +26,14 @@ spec: {{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} checksum/tls: {{ include (print $.Template.BasePath "/portal/tls.yaml") . | sha256sum }} {{- end }} - checksum/configmap: {{ include (print $.Template.BasePath "/portal/configmap.yaml") . | sha256sum }} + checksum/configmap: {{ include (print $.Template.BasePath "/portal/configmap.yaml") . | sha256sum }} {{- if .Values.portal.podAnnotations }} {{ toYaml .Values.portal.podAnnotations | indent 8 }} {{- end }} spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 + {{- if not (empty .Values.portal.podSecurityContext) }} + securityContext: {{ .Values.portal.podSecurityContext | toYaml | nindent 8 }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -80,6 +80,9 @@ spec: periodSeconds: 10 ports: - containerPort: {{ template "harbor.portal.containerPort" . }} + {{- if not (empty .Values.portal.containerSecurityContext) }} + securityContext: {{ .Values.portal.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} volumeMounts: - name: portal-config mountPath: /etc/nginx/nginx.conf diff --git a/templates/redis/statefulset.yaml b/templates/redis/statefulset.yaml index 371b0fd5a..3b31b316f 100644 --- a/templates/redis/statefulset.yaml +++ b/templates/redis/statefulset.yaml @@ -27,9 +27,9 @@ spec: {{ toYaml .Values.redis.podAnnotations | indent 8 }} {{- end }} spec: - securityContext: - runAsUser: 999 - fsGroup: 999 + {{- if not (empty .Values.redis.internal.podSecurityContext) }} + securityContext: {{ .Values.redis.internal.podSecurityContext | toYaml | nindent 8 }} + {{- end }} {{- if .Values.redis.internal.serviceAccountName }} serviceAccountName: {{ .Values.redis.internal.serviceAccountName }} {{- end -}} @@ -61,6 +61,9 @@ spec: env: {{- toYaml . | nindent 10 }} {{- end }} + {{- if not (empty .Values.redis.internal.containerSecurityContext ) }} + securityContext: {{ .Values.redis.internal.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} volumeMounts: - name: data mountPath: /var/lib/redis diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index dc4a83347..75e7cb8a4 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -41,10 +41,9 @@ spec: {{ toYaml .Values.registry.podAnnotations | indent 8 }} {{- end }} spec: - securityContext: - runAsUser: 10000 - fsGroup: 10000 - fsGroupChangePolicy: OnRootMismatch + {{- if not (empty .Values.registry.podSecurityContext) }} + securityContext: {{ .Values.registry.podSecurityContext | toYaml | nindent 8 }} + {{- end }} {{- if .Values.registry.serviceAccountName }} serviceAccountName: {{ .Values.registry.serviceAccountName }} {{- end -}} @@ -167,6 +166,9 @@ spec: ports: - containerPort: {{ template "harbor.registry.containerPort" . }} - containerPort: 5001 + {{- if not (empty .Values.registry.registry.containerSecurityContext) }} + securityContext: {{ .Values.registry.registry.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} volumeMounts: - name: registry-data mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} @@ -319,6 +321,9 @@ spec: {{- end }} ports: - containerPort: {{ template "harbor.registryctl.containerPort" . }} + {{- if not (empty .Values.registry.controller.containerSecurityContext) }} + securityContext: {{ .Values.registry.controller.containerSecurityContext | toYaml | nindent 10 }} + {{- end }} volumeMounts: - name: registry-data mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} diff --git a/templates/trivy/trivy-sts.yaml b/templates/trivy/trivy-sts.yaml index aba23c9e8..40fde9e21 100644 --- a/templates/trivy/trivy-sts.yaml +++ b/templates/trivy/trivy-sts.yaml @@ -40,9 +40,9 @@ spec: {{- if .Values.trivy.serviceAccountName }} serviceAccountName: {{ .Values.trivy.serviceAccountName }} {{- end }} - securityContext: - runAsUser: 10000 - fsGroup: 10000 + {{- if not (empty .Values.trivy.podSecurityContext) }} + securityContext: {{ .Values.trivy.podSecurityContext | toYaml | nindent 8 }} + {{- end }} automountServiceAccountToken: {{ .Values.trivy.automountServiceAccountToken | default false }} {{- with .Values.trivy.topologySpreadConstraints}} topologySpreadConstraints: @@ -130,6 +130,9 @@ spec: ports: - name: api-server containerPort: {{ template "harbor.trivy.containerPort" . }} + {{- if not (empty .Values.trivy.containerSecurityContext) }} + securityContext: {{ .Values.trivy.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} volumeMounts: - name: data mountPath: /home/scanner/.cache diff --git a/values.yaml b/values.yaml index 5582f883c..96b3e9504 100644 --- a/values.yaml +++ b/values.yaml @@ -411,7 +411,15 @@ nginx: ## Additional deployment labels podLabels: {} ## The priority class to run the pod as - priorityClassName: + priorityClassName: "" + ## Pod Security Context + ## NOTE: Changing runAsUser or fsGroup is not supported by official harbor images + ## and may result in broken permissions + podSecurityContext: + runAsUser: 10000 + fsGroup: 10000 + ## Container Security Context + containerSecurityContext: {} portal: image: @@ -444,7 +452,16 @@ portal: ## Additional service annotations serviceAnnotations: {} ## The priority class to run the pod as - priorityClassName: + priorityClassName: "" + ## Pod Security Context + ## NOTE: Changing runAsUser or fsGroup is not supported by official harbor images + ## and may result in broken permissions + podSecurityContext: + runAsUser: 10000 + fsGroup: 10000 + ## Container Security Context + containerSecurityContext: {} + core: image: @@ -507,9 +524,9 @@ core: # If none of secretName, tokenKey, and tokenCert are specified, an ephemeral key and certificate will be autogenerated. # tokenKey and tokenCert must BOTH be set or BOTH unset. # The tokenKey value is formatted as a multiline string containing a PEM-encoded RSA key, indented one more than tokenKey on the following line. - tokenKey: | + tokenKey: "" # If tokenKey is set, the value of tokenCert must be set as a PEM-encoded certificate signed by tokenKey, and supplied as a multiline string, indented one more than tokenCert on the following line. - tokenCert: | + tokenCert: "" # The XSRF key. Will be generated automatically if it isn't specified xsrfKey: "" # If using existingSecret, the key is defined by core.existingXsrfSecretKey @@ -517,7 +534,15 @@ core: # If using existingSecret, the key existingXsrfSecretKey: CSRF_KEY ## The priority class to run the pod as - priorityClassName: + priorityClassName: "" + ## Pod Security Context + ## NOTE: Changing runAsUser or fsGroup is not supported by official harbor images + ## and may result in broken permissions + podSecurityContext: + runAsUser: 10000 + fsGroup: 10000 + ## Container Security Context + containerSecurityContext: {} # The time duration for async update artifact pull_time and repository # pull_count, the unit is second. Will be 10 seconds if it isn't set. # eg. artifactPullAsyncFlushDuration: 10 @@ -579,7 +604,15 @@ jobservice: # Key within the existing secret for the job service secret existingSecretKey: JOBSERVICE_SECRET ## The priority class to run the pod as - priorityClassName: + priorityClassName: "" + ## Pod Security Context + ## NOTE: Changing runAsUser or fsGroup is not supported by official harbor images + ## and may result in broken permissions + podSecurityContext: + runAsUser: 10000 + fsGroup: 10000 + ## Container Security Context + containerSecurityContext: {} registry: # set the service account to be used, default if left empty @@ -595,6 +628,8 @@ registry: # memory: 256Mi # cpu: 100m extraEnvVars: [] + ## Container Security Context + containerSecurityContext: {} controller: image: repository: goharbor/harbor-registryctl @@ -605,6 +640,8 @@ registry: # memory: 256Mi # cpu: 100m extraEnvVars: [] + ## Container Security Context + containerSecurityContext: {} replicas: 1 revisionHistoryLimit: 10 nodeSelector: {} @@ -621,7 +658,14 @@ registry: ## Additional deployment labels podLabels: {} ## The priority class to run the pod as - priorityClassName: + priorityClassName: "" + ## Pod Security Context + ## NOTE: Changing runAsUser or fsGroup is not supported by official harbor images + ## and may result in broken permissions + podSecurityContext: + runAsUser: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch # Secret is used to secure the upload state from client # and registry storage backend. # See: https://github.com/distribution/distribution/blob/main/docs/configuration.md#http @@ -742,7 +786,15 @@ trivy: ## Additional deployment labels podLabels: {} ## The priority class to run the pod as - priorityClassName: + priorityClassName: "" + ## Pod Security Context + ## NOTE: Changing runAsUser or fsGroup is not supported by official harbor images + ## and may result in broken permissions + podSecurityContext: + runAsUser: 10000 + fsGroup: 10000 + ## Container Security Context + containerSecurityContext: {} database: # if external database is used, set "type" to "external" @@ -777,14 +829,27 @@ database: tolerations: [] affinity: {} ## The priority class to run the pod as - priorityClassName: + priorityClassName: "" + ## Pod Security Context + ## NOTE: Changing runAsUser or fsGroup is not supported by official harbor images + ## and may result in broken permissions + podSecurityContext: + runAsUser: 999 + fsGroup: 999 + ## Container Security Context + containerSecurityContext: {} initContainer: - migrator: {} + migrator: + ## Container Security Context + containerSecurityContext: {} # resources: # requests: # memory: 128Mi # cpu: 100m - permissions: {} + permissions: + ## Container Security Context + containerSecurityContext: + runAsUser: 0 # resources: # requests: # memory: 128Mi @@ -838,7 +903,15 @@ redis: tolerations: [] affinity: {} ## The priority class to run the pod as - priorityClassName: + priorityClassName: "" + ## Pod Security Context + ## NOTE: Changing runAsUser or fsGroup is not supported by official harbor images + ## and may result in broken permissions + podSecurityContext: + runAsUser: 999 + fsGroup: 999 + ## Container Security Context + containerSecurityContext: {} # # jobserviceDatabaseIndex defaults to "1" # # registryDatabaseIndex defaults to "2" # # trivyAdapterIndex defaults to "5" @@ -905,7 +978,15 @@ exporter: cacheDuration: 23 cacheCleanInterval: 14400 ## The priority class to run the pod as - priorityClassName: + priorityClassName: "" + ## Pod Security Context + ## NOTE: Changing runAsUser or fsGroup is not supported by official harbor images + ## and may result in broken permissions + podSecurityContext: + runAsUser: 10000 + fsGroup: 10000 + ## Container Security Context + containerSecurityContext: {} metrics: enabled: false