use strict security context

Use a strict security context by default to comply with the restricted pod security policy. Fixes #154
itzg · Jun 1, 2023 · 1616da9 · 1616da9
1 parent b74f8a5
commit 1616da9
Show file tree

Hide file tree

Showing 11 changed files with 103 additions and 42 deletions.
diff --git a/charts/minecraft-bedrock/Chart.yaml b/charts/minecraft-bedrock/Chart.yaml
@@ -1,21 +1,21 @@
 apiVersion: v1
 name: minecraft-bedrock
-version: 2.0.2
+version: 2.1.0
 appVersion: SeeValues
 home: https://minecraft.net/
 description: Minecraft server
 keywords:
-- game
-- server
+  - game
+  - server
 sources:
-- https://github.com/itzg/minecraft-server-charts
+  - https://github.com/itzg/minecraft-server-charts
 maintainers:
-- name: gtaylor
-  email: [email protected]
-- name: billimek
-  email: [email protected]
-- name: itzg
-  email: [email protected]
+  - name: gtaylor
+    email: [email protected]
+  - name: billimek
+    email: [email protected]
+  - name: itzg
+    email: [email protected]
 annotations:
   artifacthub.io/links: |
     - name: Image source

diff --git a/charts/minecraft-bedrock/templates/deployment.yaml b/charts/minecraft-bedrock/templates/deployment.yaml
@@ -35,6 +35,8 @@ spec:
       imagePullSecrets:
         - name: {{ .Values.image.pullSecret }}
       {{- end }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       {{- if .Values.initContainers }}
       initContainers:
       {{- toYaml .Values.initContainers | nindent 8 }}
@@ -139,14 +141,20 @@ spec:
           protocol: UDP
 
         volumeMounts:
+        - name: tmp
+          mountPath: /tmp
         - name: datadir
           mountPath: /data
         {{- range .Values.extraVolumes }}
         {{-   if .volumeMounts }}
         {{-     toYaml .volumeMounts | nindent 8 }}
         {{-   end }}
         {{- end }}
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 10 }}
       volumes:
+      - name: tmp
+        emptyDir: {}
       - name: datadir
       {{- if .Values.persistence.dataDir.enabled }}
         persistentVolumeClaim:

diff --git a/charts/minecraft-bedrock/values.yaml b/charts/minecraft-bedrock/values.yaml
@@ -22,6 +22,21 @@ tolerations: []
 
 affinity: {}
 
+podSecurityContext:
+  runAsUser: 1000
+  runAsGroup: 3000
+  runAsNonRoot: true
+  fsGroup: 2000
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+
 # Most of these map to environment variables. See Minecraft for details:
 # https://hub.docker.com/r/itzg/minecraft-server/
 livenessProbe:

diff --git a/charts/minecraft-proxy/Chart.yaml b/charts/minecraft-proxy/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: minecraft-proxy
-version: 3.2.0
+version: 3.3.0
 appVersion: SeeValues
 description: Minecraft proxy server (BungeeCord, Waterfall, Velocity, etc.)
 keywords:

diff --git a/charts/minecraft-proxy/templates/deployment.yaml b/charts/minecraft-proxy/templates/deployment.yaml
@@ -28,8 +28,7 @@ spec:
         - name: {{ .Values.image.pullSecret }}
       {{- end }}
       securityContext:
-        runAsUser: {{ .Values.securityContext.runAsUser }}
-        fsGroup: {{ .Values.securityContext.fsGroup }}
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       initContainers: {{- toYaml .Values.initContainers | nindent 8 }}
       containers:
       - name: {{ template "proxy.fullname" . }}
@@ -151,6 +150,8 @@ spec:
         {{- end }}
         {{- end }}
         volumeMounts:
+        - name: tmp
+          mountPath: /tmp
         - name: datadir
           mountPath: /server
         {{- if .Values.minecraftProxy.config }}
@@ -163,10 +164,14 @@ spec:
         {{-     toYaml .volumeMounts | nindent 8 }}
         {{-   end }}
         {{- end }}
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 10 }}
       {{- if .Values.sidecarContainers }}
       {{- toYaml .Values.sidecarContainers | nindent 6 }}
       {{- end }}
       volumes:
+      - name: tmp
+        emptyDir: {}
       - name: datadir
       {{- if .Values.persistence.dataDir.enabled }}
         persistentVolumeClaim:

diff --git a/charts/minecraft-proxy/values.yaml b/charts/minecraft-proxy/values.yaml
@@ -14,11 +14,21 @@ resources:
     memory: 512Mi
     cpu: 500m
 
-securityContext:
-  # Security context settings
+podSecurityContext:
   runAsUser: 1000
-  runAsGroup: 1000
+  runAsGroup: 3000
+  runAsNonRoot: true
   fsGroup: 2000
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+
 # Most of these map to environment variables. See Minecraft for details:
 # https://hub.docker.com/r/itzg/docker-bungeecord/
 livenessProbe:
@@ -175,7 +185,8 @@ minecraftProxy:
     ## Set the externalTrafficPolicy in the Service to either Cluster or Local
     # externalTrafficPolicy: Cluster
 
-  extraPorts: []
+  extraPorts:
+    []
     # These options allow you to expose another port from the Minecraft proxy, plugins such
     # as NuVotifier (8192) will require this for incoming webhooks
     #

diff --git a/charts/minecraft/Chart.yaml b/charts/minecraft/Chart.yaml
@@ -1,21 +1,21 @@
 apiVersion: v1
 name: minecraft
-version: 4.7.4
+version: 4.8.0
 appVersion: SeeValues
 home: https://minecraft.net/
 description: Minecraft server
 keywords:
-- game
-- server
+  - game
+  - server
 sources:
-- https://github.com/itzg/minecraft-server-charts
+  - https://github.com/itzg/minecraft-server-charts
 maintainers:
-- name: gtaylor
-  email: [email protected]
-- name: billimek
-  email: [email protected]
-- name: itzg
-  email: [email protected]
+  - name: gtaylor
+    email: [email protected]
+  - name: billimek
+    email: [email protected]
+  - name: itzg
+    email: [email protected]
 annotations:
   artifacthub.io/links: |
     - name: Image source

diff --git a/charts/minecraft/templates/deployment.yaml b/charts/minecraft/templates/deployment.yaml
@@ -47,8 +47,7 @@ spec:
         - name: {{ .Values.image.pullSecret }}
       {{- end }}
       securityContext:
-        runAsUser: {{ .Values.securityContext.runAsUser }}
-        fsGroup: {{ .Values.securityContext.fsGroup }}
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       {{- if .Values.initContainers }}
       initContainers:
       {{- toYaml .Values.initContainers | nindent 8 }}
@@ -119,6 +118,8 @@ spec:
         {{-   end }}
         {{- end }}
         volumeMounts:
+        - name: tmp
+          mountPath: /tmp
         - name: datadir
           mountPath: /data
           readOnly: true
@@ -134,6 +135,8 @@ spec:
         {{-   end }}
         {{- end }}
       {{- end }}
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 10 }}
       - name: {{ template "minecraft.fullname" . }}
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -321,7 +324,7 @@ spec:
         {{- end }}
     {{- end }}
     {{- end }}
-        
+
 
       {{- range $key, $value := .Values.extraEnv }}
       {{-   if kindIs "map" $value }}
@@ -357,6 +360,8 @@ spec:
         {{- end }}
         {{- end }}
         volumeMounts:
+        - name: tmp
+          mountPath: /tmp
         - name: datadir
           mountPath: /data
           {{- if (and .Values.persistence.dataDir.enabled .Values.persistence.dataDir.subPath) }}
@@ -370,10 +375,14 @@ spec:
         {{-     toYaml .volumeMounts | nindent 8 }}
         {{-   end }}
         {{- end }}
+        securityContext:
+            {{- toYaml .Values.securityContext | nindent 10 }}
       {{- if .Values.sidecarContainers }}
       {{- toYaml .Values.sidecarContainers | nindent 6 }}
       {{- end }}
       volumes:
+      - name: tmp
+        emptyDir: {}
       - name: datadir
       {{- if .Values.persistence.dataDir.enabled }}
         persistentVolumeClaim:

diff --git a/charts/minecraft/values.yaml b/charts/minecraft/values.yaml
@@ -27,10 +27,21 @@ tolerations: []
 
 affinity: {}
 
-securityContext:
-  # Security context settings
+podSecurityContext:
   runAsUser: 1000
+  runAsGroup: 3000
+  runAsNonRoot: true
   fsGroup: 2000
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+
 # Most of these map to environment variables. See Minecraft for details:
 # https://hub.docker.com/r/itzg/minecraft-server/
 livenessProbe:

diff --git a/charts/rcon-web-admin/Chart.yaml b/charts/rcon-web-admin/Chart.yaml
@@ -3,7 +3,7 @@ name: rcon-web-admin
 home: https://github.com/rcon-web-admin/rcon-web-admin
 description: RCon Web UI for managing game servers
 type: application
-version: 1.0.0
+version: 1.1.0
 appVersion: "0.14.1-1"
 keywords:
   - game

diff --git a/charts/rcon-web-admin/values.yaml b/charts/rcon-web-admin/values.yaml
@@ -17,17 +17,19 @@ fullnameOverride: ""
 podAnnotations: {}
 
 podSecurityContext:
-  {}
-  # fsGroup: 2000
+  runAsUser: 1000
+  runAsGroup: 3000
+  runAsNonRoot: true
+  fsGroup: 2000
+  seccompProfile:
+    type: RuntimeDefault
 
 securityContext:
-  {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
 
 # This will expose 2 different services - http and websockets
 # If you want to know why it's separate - ask developer of original project