Skip to content

Commit

Permalink
feat(chart): Set allowPrivilegeEscalation: false
Browse files Browse the repository at this point in the history 
The container ports needed to be changed to 8080 and 8443 for this purpose. Service ports remain unchanged.
The capability NET_BIND_SERVICE is still needed. Otherwise the nginx process can not even be started due to the file capability on `/usr/sbin/nginx` in the image.
There is no change in the image.
  • Loading branch information
@PSanetra
PSanetra committed Aug 15, 2024
1 parent f1843a9 commit ee29ddb
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 26 deletions.
4 changes: 2 additions & 2 deletions chart/tests/__snapshot__/config_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@ should render minimal values:
base_href: /
http:
enabled: true
port: 80
port: 8080
https:
enabled: false
port: 443
port: 8443
ssl_certificate: /var/run/secrets/tls/tls.crt
ssl_certificate_key: /var/run/secrets/tls/tls.key
spa_config:
Expand Down
55 changes: 33 additions & 22 deletions chart/tests/__snapshot__/deployment_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ should mount tls secret if openshift.route.enabled and openshift.route.tls.termi
template:
metadata:
annotations:
checksum/config-map: d2cf2f3a678c322f5883feac881f8be66a90c8fd
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
labels:
app.kubernetes.io/component: frontend
app.kubernetes.io/instance: default
Expand All @@ -39,7 +39,7 @@ should mount tls secret if openshift.route.enabled and openshift.route.tls.termi
port: http
name: single-page-application
ports:
- containerPort: 80
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
Expand All @@ -54,6 +54,7 @@ should mount tls secret if openshift.route.enabled and openshift.route.tls.termi
cpu: 100m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
Expand Down Expand Up @@ -117,7 +118,7 @@ should not render replicas if autoscaling is enabled:
template:
metadata:
annotations:
checksum/config-map: d2cf2f3a678c322f5883feac881f8be66a90c8fd
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
labels:
app.kubernetes.io/component: frontend
app.kubernetes.io/instance: default
Expand All @@ -136,7 +137,7 @@ should not render replicas if autoscaling is enabled:
port: http
name: single-page-application
ports:
- containerPort: 80
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
Expand All @@ -151,6 +152,7 @@ should not render replicas if autoscaling is enabled:
cpu: 100m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
Expand Down Expand Up @@ -207,7 +209,7 @@ should render minimal values:
template:
metadata:
annotations:
checksum/config-map: d2cf2f3a678c322f5883feac881f8be66a90c8fd
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
labels:
app.kubernetes.io/component: frontend
app.kubernetes.io/instance: default
Expand All @@ -226,7 +228,7 @@ should render minimal values:
port: http
name: single-page-application
ports:
- containerPort: 80
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
Expand All @@ -241,6 +243,7 @@ should render minimal values:
cpu: 100m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
Expand Down Expand Up @@ -297,7 +300,7 @@ should render with affinity:
template:
metadata:
annotations:
checksum/config-map: d2cf2f3a678c322f5883feac881f8be66a90c8fd
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
labels:
app.kubernetes.io/component: frontend
app.kubernetes.io/instance: default
Expand Down Expand Up @@ -325,7 +328,7 @@ should render with affinity:
port: http
name: single-page-application
ports:
- containerPort: 80
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
Expand All @@ -340,6 +343,7 @@ should render with affinity:
cpu: 100m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
Expand Down Expand Up @@ -396,7 +400,7 @@ should render with extra volume:
template:
metadata:
annotations:
checksum/config-map: d2cf2f3a678c322f5883feac881f8be66a90c8fd
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
labels:
app.kubernetes.io/component: frontend
app.kubernetes.io/instance: default
Expand All @@ -415,7 +419,7 @@ should render with extra volume:
port: http
name: single-page-application
ports:
- containerPort: 80
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
Expand All @@ -430,6 +434,7 @@ should render with extra volume:
cpu: 100m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
Expand Down Expand Up @@ -493,7 +498,7 @@ should render with nodeSelector:
template:
metadata:
annotations:
checksum/config-map: d2cf2f3a678c322f5883feac881f8be66a90c8fd
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
labels:
app.kubernetes.io/component: frontend
app.kubernetes.io/instance: default
Expand All @@ -512,7 +517,7 @@ should render with nodeSelector:
port: http
name: single-page-application
ports:
- containerPort: 80
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
Expand All @@ -527,6 +532,7 @@ should render with nodeSelector:
cpu: 100m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
Expand Down Expand Up @@ -585,7 +591,7 @@ should render with pull secret:
template:
metadata:
annotations:
checksum/config-map: d2cf2f3a678c322f5883feac881f8be66a90c8fd
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
labels:
app.kubernetes.io/component: frontend
app.kubernetes.io/instance: default
Expand All @@ -604,7 +610,7 @@ should render with pull secret:
port: http
name: single-page-application
ports:
- containerPort: 80
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
Expand All @@ -619,6 +625,7 @@ should render with pull secret:
cpu: 100m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
Expand Down Expand Up @@ -677,7 +684,7 @@ should render with tolerations:
template:
metadata:
annotations:
checksum/config-map: d2cf2f3a678c322f5883feac881f8be66a90c8fd
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
labels:
app.kubernetes.io/component: frontend
app.kubernetes.io/instance: default
Expand All @@ -696,7 +703,7 @@ should render with tolerations:
port: http
name: single-page-application
ports:
- containerPort: 80
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
Expand All @@ -711,6 +718,7 @@ should render with tolerations:
cpu: 100m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
Expand Down Expand Up @@ -771,7 +779,7 @@ should support alternative http port:
template:
metadata:
annotations:
checksum/config-map: a65dc1dcf5388bced1711c8a1233763c4cfb3441
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
labels:
app.kubernetes.io/component: frontend
app.kubernetes.io/instance: default
Expand Down Expand Up @@ -805,6 +813,7 @@ should support alternative http port:
cpu: 100m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
Expand Down Expand Up @@ -861,7 +870,7 @@ should support alternative https port:
template:
metadata:
annotations:
checksum/config-map: dce4af80cd48a768c53dfab8d2832b9a29701d5e
checksum/config-map: d1faa34c3b94b214e37c114b061939cf7d75d9d5
labels:
app.kubernetes.io/component: frontend
app.kubernetes.io/instance: default
Expand All @@ -880,7 +889,7 @@ should support alternative https port:
port: http
name: single-page-application
ports:
- containerPort: 80
- containerPort: 8080
name: http
protocol: TCP
- containerPort: 8443
Expand All @@ -898,6 +907,7 @@ should support alternative https port:
cpu: 100m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
Expand Down Expand Up @@ -954,7 +964,7 @@ should support enabling https:
template:
metadata:
annotations:
checksum/config-map: 321726841793faccc874ccca587d3c1092e28a33
checksum/config-map: d1faa34c3b94b214e37c114b061939cf7d75d9d5
labels:
app.kubernetes.io/component: frontend
app.kubernetes.io/instance: default
Expand All @@ -973,10 +983,10 @@ should support enabling https:
port: http
name: single-page-application
ports:
- containerPort: 80
- containerPort: 8080
name: http
protocol: TCP
- containerPort: 443
- containerPort: 8443
name: https
protocol: TCP
readinessProbe:
Expand All @@ -991,6 +1001,7 @@ should support enabling https:
cpu: 100m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
Expand Down
5 changes: 3 additions & 2 deletions chart/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,10 @@ config:
endpoints: {}
http:
enabled: true
port: 80
port: 8080
https:
enabled: false
port: 443
port: 8443
ssl_certificate: /var/run/secrets/tls/tls.crt
ssl_certificate_key: /var/run/secrets/tls/tls.key

Expand Down Expand Up @@ -57,6 +57,7 @@ pod:
- NET_BIND_SERVICE
readOnlyRootFilesystem: true
runAsNonRoot: true
allowPrivilegeEscalation: false
livenessProbe:
httpGet:
path: /health/liveness
Expand Down

0 comments on commit ee29ddb

Please sign in to comment.