diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml index 9a92b45a4..e28801f0f 100644 --- a/templates/core/core-dpl.yaml +++ b/templates/core/core-dpl.yaml @@ -34,6 +34,7 @@ spec: {{- end }} spec: securityContext: + runAsNonRoot: true runAsUser: 10000 fsGroup: 10000 {{- if .Values.core.serviceAccountName }} @@ -59,6 +60,14 @@ spec: - name: core image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL {{- if .Values.core.startupProbe.enabled }} startupProbe: httpGet: diff --git a/templates/core/core-pre-upgrade-job.yaml b/templates/core/core-pre-upgrade-job.yaml index 43c9d3596..9a5afc5e7 100644 --- a/templates/core/core-pre-upgrade-job.yaml +++ b/templates/core/core-pre-upgrade-job.yaml @@ -20,6 +20,7 @@ spec: spec: restartPolicy: Never securityContext: + runAsNonRoot: true runAsUser: 10000 fsGroup: 10000 {{- if .Values.core.serviceAccountName }} @@ -34,6 +35,14 @@ spec: - name: core-job image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL command: ["/harbor/harbor_core", "-mode=migrate"] envFrom: - configMapRef: diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml index 3b08b07ef..6a98d89c4 100644 --- a/templates/database/database-ss.yaml +++ b/templates/database/database-ss.yaml @@ -29,6 +29,7 @@ spec: {{- end }} spec: securityContext: + runAsNonRoot: true runAsUser: 999 fsGroup: 999 {{- if .Values.database.internal.serviceAccountName }} @@ -48,6 +49,14 @@ spec: - name: "data-migrator" image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL command: ["/bin/sh"] args: ["-c", "[ -e /var/lib/postgresql/data/postgresql.conf ] && [ ! -d /var/lib/postgresql/data/pgdata ] && mkdir -m 0700 /var/lib/postgresql/data/pgdata && mv /var/lib/postgresql/data/* /var/lib/postgresql/data/pgdata/ || true"] {{- if .Values.database.internal.initContainer.migrator.resources }} @@ -65,6 +74,14 @@ spec: - name: "data-permissions-ensurer" image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL command: ["/bin/sh"] args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"] {{- if .Values.database.internal.initContainer.permissions.resources }} @@ -79,6 +96,14 @@ spec: - name: database image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL livenessProbe: exec: command: diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml index 6d2e1f53a..235f03c55 100644 --- a/templates/exporter/exporter-dpl.yaml +++ b/templates/exporter/exporter-dpl.yaml @@ -32,6 +32,7 @@ spec: {{- end }} spec: securityContext: + runAsNonRoot: true runAsUser: 10000 fsGroup: 10000 {{- if .Values.exporter.serviceAccountName }} @@ -56,6 +57,14 @@ spec: - name: exporter image: {{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL livenessProbe: httpGet: path: / diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml index e39e77e6e..665ed0fcd 100644 --- a/templates/jobservice/jobservice-dpl.yaml +++ b/templates/jobservice/jobservice-dpl.yaml @@ -40,6 +40,7 @@ spec: {{- end }} spec: securityContext: + runAsNonRoot: true runAsUser: 10000 fsGroup: 10000 {{- if .Values.jobservice.serviceAccountName }} @@ -65,6 +66,14 @@ spec: - name: jobservice image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL livenessProbe: httpGet: path: /api/v1/stats diff --git a/templates/nginx/deployment.yaml b/templates/nginx/deployment.yaml index 8290d497b..ed6c1bd7a 100644 --- a/templates/nginx/deployment.yaml +++ b/templates/nginx/deployment.yaml @@ -38,6 +38,7 @@ spec: serviceAccountName: {{ .Values.nginx.serviceAccountName }} {{- end }} securityContext: + runAsNonRoot: true runAsUser: 10000 fsGroup: 10000 {{- with .Values.imagePullSecrets }} @@ -59,6 +60,14 @@ spec: - name: nginx image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}" imagePullPolicy: "{{ .Values.imagePullPolicy }}" + securityContext: + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL {{- $_ := set . "scheme" "HTTP" -}} {{- $_ := set . "port" "8080" -}} {{- if .Values.expose.tls.enabled }} diff --git a/templates/portal/deployment.yaml b/templates/portal/deployment.yaml index 959a3fd7b..32451b016 100644 --- a/templates/portal/deployment.yaml +++ b/templates/portal/deployment.yaml @@ -32,6 +32,7 @@ spec: {{- end }} spec: securityContext: + runAsNonRoot: true runAsUser: 10000 fsGroup: 10000 {{- with .Values.imagePullSecrets }} @@ -56,6 +57,14 @@ spec: - name: portal image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL {{- if .Values.portal.resources }} resources: {{ toYaml .Values.portal.resources | indent 10 }} diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml index dc4a83347..d1197248c 100644 --- a/templates/registry/registry-dpl.yaml +++ b/templates/registry/registry-dpl.yaml @@ -42,6 +42,7 @@ spec: {{- end }} spec: securityContext: + runAsNonRoot: true runAsUser: 10000 fsGroup: 10000 fsGroupChangePolicy: OnRootMismatch @@ -68,6 +69,14 @@ spec: - name: registry image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL livenessProbe: httpGet: path: / @@ -204,6 +213,14 @@ spec: - name: registryctl image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL livenessProbe: httpGet: path: /api/health diff --git a/templates/trivy/trivy-sts.yaml b/templates/trivy/trivy-sts.yaml index aba23c9e8..39bf8591f 100644 --- a/templates/trivy/trivy-sts.yaml +++ b/templates/trivy/trivy-sts.yaml @@ -41,6 +41,7 @@ spec: serviceAccountName: {{ .Values.trivy.serviceAccountName }} {{- end }} securityContext: + runAsNonRoot: true runAsUser: 10000 fsGroup: 10000 automountServiceAccountToken: {{ .Values.trivy.automountServiceAccountToken | default false }} @@ -61,6 +62,11 @@ spec: securityContext: privileged: false allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL env: {{- if has "trivy" .Values.proxy.components }} - name: HTTP_PROXY