Skip to content

Commit

Permalink
Use restricted pod security standard (#6)
Browse files Browse the repository at this point in the history 
Signed-off-by: Tamal Saha <[email protected]>
  • Loading branch information
@tamalsaha
tamalsaha authored Jul 26, 2024
1 parent f1e7fe1 commit 9254d87
Show file tree
Hide file tree
Showing 13 changed files with 67 additions and 55 deletions.
2 changes: 1 addition & 1 deletion charts/dbgate/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: dbgate
description: DBGate Helm chart for Kubernetes
type: application
version: v2024.4.27
appVersion: v2024.4.27
appVersion: 5.3.1
home: https://dbgate.org
icon: https://cdn.appscode.com/images/products/kubedb/kubedb-icon.png
maintainers:
Expand Down
4 changes: 2 additions & 2 deletions charts/dbgate/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ The following table lists the configurable parameters of the `dbgate` chart and
| replicaCount | | <code>1</code> |
| image.repository | | <code>"dbgate/dbgate"</code> |
| image.pullPolicy | | <code>Always</code> |
| image.tag | Overrides the image tag whose default is the chart appVersion. | <code>"alpine"</code> |
| image.tag | Overrides the image tag whose default is the chart appVersion. | <code>"5.3.1-alpine"</code> |
| imagePullSecrets | | <code>[]</code> |
| nameOverride | | <code>""</code> |
| fullnameOverride | | <code>""</code> |
Expand All @@ -65,7 +65,7 @@ The following table lists the configurable parameters of the `dbgate` chart and
| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | <code>""</code> |
| podAnnotations | | <code>{}</code> |
| podSecurityContext | | <code>{}</code> |
| securityContext | | <code>{}</code> |
| securityContext | | <code>{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}</code> |
| service.type | | <code>ClusterIP</code> |
| service.port | | <code>80</code> |
| resources | | <code>{}</code> |
Expand Down
20 changes: 10 additions & 10 deletions charts/dbgate/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ image:
repository: "dbgate/dbgate"
pullPolicy: Always
# Overrides the image tag whose default is the chart appVersion.
tag: "alpine"
tag: "5.3.1-alpine"

imagePullSecrets: []
nameOverride: ""
Expand All @@ -42,15 +42,15 @@ podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000

securityContext: {}
# allowPrivilegeEscalation: false
# capabilities:
# drop: ["ALL"]
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 65534
# # seccompProfile:
# # type: RuntimeDefault
securityContext: # +doc-gen:break
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault

service:
type: ClusterIP
Expand Down
2 changes: 1 addition & 1 deletion charts/mongo-ui/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ The following table lists the configurable parameters of the `mongo-ui` chart an
| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | <code>""</code> |
| podAnnotations | | <code>{}</code> |
| podSecurityContext | | <code>{}</code> |
| securityContext | | <code>{}</code> |
| securityContext | | <code>{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}</code> |
| service.type | | <code>ClusterIP</code> |
| service.port | | <code>80</code> |
| resources | | <code>{}</code> |
Expand Down
18 changes: 9 additions & 9 deletions charts/mongo-ui/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,15 +42,15 @@ podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000

securityContext: {}
# allowPrivilegeEscalation: false
# capabilities:
# drop: ["ALL"]
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 65534
# seccompProfile:
# type: RuntimeDefault
securityContext: # +doc-gen:break
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault

service:
type: ClusterIP
Expand Down
2 changes: 1 addition & 1 deletion charts/pgadmin/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: pgadmin
description: pgAdmin Helm chart for Kubernetes
type: application
version: v2024.4.27
appVersion: v2024.4.27
appVersion: "8.9"
home: https://www.pgadmin.org
icon: https://cdn.appscode.com/images/products/kubedb/kubedb-icon.png
maintainers:
Expand Down
4 changes: 2 additions & 2 deletions charts/pgadmin/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ The following table lists the configurable parameters of the `pgadmin` chart and
| replicaCount | | <code>1</code> |
| image.repository | | <code>"dpage/pgadmin4"</code> |
| image.pullPolicy | | <code>Always</code> |
| image.tag | Overrides the image tag whose default is the chart appVersion. | <code>"latest"</code> |
| image.tag | Overrides the image tag whose default is the chart appVersion. | <code>""</code> |
| imagePullSecrets | | <code>[]</code> |
| nameOverride | | <code>""</code> |
| fullnameOverride | | <code>""</code> |
Expand All @@ -65,7 +65,7 @@ The following table lists the configurable parameters of the `pgadmin` chart and
| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | <code>""</code> |
| podAnnotations | | <code>{}</code> |
| podSecurityContext | | <code>{}</code> |
| securityContext | | <code>{}</code> |
| securityContext | | <code>{"allowPrivilegeEscalation":false,"runAsGroup":5050,"runAsNonRoot":true,"runAsUser":5050,"seccompProfile":{"type":"RuntimeDefault"}}</code> |
| service.type | | <code>ClusterIP</code> |
| service.port | | <code>80</code> |
| resources | | <code>{}</code> |
Expand Down
17 changes: 14 additions & 3 deletions charts/pgadmin/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,9 +89,16 @@ spec:
value: "False"
- name: PGADMIN_CONFIG_WTF_CSRF_ENABLED
value: "False"
# avoid need for sudo
# https://github.com/pgadmin-org/pgadmin4/blob/REL-8_9/pkg/docker/entrypoint.sh#L94
# postfix is used to send password reset emails. This feature is not used.
- name: PGADMIN_DISABLE_POSTFIX
value: "True"
- name: PGADMIN_LISTEN_PORT
value: "8080"
ports:
- name: http
containerPort: 80
containerPort: 8080
protocol: TCP
# livenessProbe:
# httpGet:
Expand All @@ -113,13 +120,17 @@ spec:
mountPath: /pgadmin4/config_local.py
subPath: config_local.py
readOnly: true
- name: data
- name: datadir
mountPath: /var/lib/pgadmin
- name: logdir
mountPath: /var/log/pgadmin
volumes:
- name: config
secret:
secretName: {{ include "pgadmin.serviceAccountName" . }}-config
- name: data
- name: datadir
emptyDir: {}
- name: logdir
emptyDir: {}
{{- if .Values.authzproxy.params.platformCABundle }}
- name: platform-auth
Expand Down
15 changes: 8 additions & 7 deletions charts/pgadmin/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ image:
repository: "dpage/pgadmin4"
pullPolicy: Always
# Overrides the image tag whose default is the chart appVersion.
tag: "latest"
tag: ""

imagePullSecrets: []
nameOverride: ""
Expand All @@ -42,15 +42,16 @@ podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000

securityContext: {}
# allowPrivilegeEscalation: false
securityContext: # +doc-gen:break
allowPrivilegeEscalation: false
# capabilities:
# drop: ["ALL"]
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 65534
# seccompProfile:
# type: RuntimeDefault
runAsNonRoot: true
runAsUser: 5050
runAsGroup: 5050
seccompProfile:
type: RuntimeDefault

service:
type: ClusterIP
Expand Down
Loading

0 comments on commit 9254d87

Please sign in to comment.