Inject Pod and Container Security Context (#38)

* Inject Pod and Container Security Context

* Inject Pod and Container Security Context

* fix vulnerabilities

* fix vulnerabilities

* update trivy ignores

---------

Co-authored-by: Ravi Singal <[email protected]>

.trivyignore

@@ -1,14 +1,2 @@
-# org.scala-lang:scala-library (from upstream opensource dependency)
-CVE-2022-36944 exp:2023-09-30
-
-# org.xerial.snappy:snappy-java (from upstream opensource dependency)
-CVE-2023-34453 exp:2023-09-30
-
-# org.xerial.snappy:snappy-java (from upstream opensource dependency)
-CVE-2023-34454 exp:2023-09-30
-
-# org.xerial.snappy:snappy-java (from upstream opensource dependency)
-CVE-2023-34455 exp:2023-09-30
-
 # usr/local/bin/kubectl (gobinary)
-CVE-2023-2253 exp:2023-09-30
+CVE-2024-34156 exp:2024-10-31

kafka-topic-creator/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.21 AS builder
+FROM golang:1.22.7 AS builder
 COPY src/main/go /opt
 WORKDIR /opt
 

kafka-topic-creator/helm/templates/kafka-topic-creation-hook.yaml

@@ -24,6 +24,10 @@ spec:
       containers:
         - name: topic-creator
           image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
@@ -49,7 +53,7 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.securityContext }}
+      {{- with .Values.podSecurityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}

kafka-topic-creator/helm/values.yaml

@@ -45,3 +45,6 @@ kafka:
   # for these keys in minValueOverrideForTopicConfig, we will set for all topics to value here if either not set or when lower is provided
   # ensure provided value for these keys is a 64 bit integer, else job will throw an error
   minValueOverrideForTopicConfig: {}
+
+containerSecurityContext: {}
+podSecurityContext: {}

kafka-topic-creator/src/main/go/go.mod

@@ -1,8 +1,8 @@
 module hypertrace.org/kafka-topic-creator
 
-go 1.21
+go 1.22.7
 
 require (
-	github.com/confluentinc/confluent-kafka-go/v2 v2.1.0
+	github.com/confluentinc/confluent-kafka-go/v2 v2.5.3
 	gopkg.in/yaml.v3 v3.0.1
 )

kstreams-app-version-checker/Dockerfile

@@ -1,6 +1,6 @@
-FROM alpine:3.18
+FROM alpine:3.20
 
-ENV KUBECTL_VERSION=v1.28.12
+ENV KUBECTL_VERSION=v1.28.14
 
 RUN apk add curl jq --no-cache && \
     curl -LO "https://dl.k8s.io/release/$KUBECTL_VERSION/bin/linux/amd64/kubectl" && \

kstreams-app-version-checker/helm/templates/job.yaml

@@ -19,9 +19,17 @@ spec:
         app: {{ $jobName }}
         release: {{ .Release.Name }}
     spec:
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: kstreams-app-version-checker
           image: {{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tagOverride }}
+          {{- with .Values.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
             - name: NAMESPACE
@@ -32,7 +40,7 @@ spec:
               value: {{ int .Values.waitSeconds | default 360 | quote }}
             - name: WORKLOADS
               value: "{{ range $workload := .Values.workloads }}{{ $workload.name }},{{ $workload.type }},{{ $workload.container }};{{ end }}"
-          {{- with .Values.securityContext }}
+          {{- with .Values.containerSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}

kstreams-app-version-checker/helm/values.yaml

@@ -38,3 +38,7 @@ jobName: ""
 configMapName: ""
 
 workloads: []
+
+resources: {}
+containerSecurityContext: {}
+podSecurityContext: {}