diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl index 4e6ce7e6f..1c05c8660 100644 --- a/chart/templates/_helpers.tpl +++ b/chart/templates/_helpers.tpl @@ -57,3 +57,21 @@ Image Name {{- define "canary-checker.imageString" -}} {{ .Values.image.repository }}{{- if eq (lower .Values.image.type) "full" }}-full{{- end }}:{{ .Values.image.tag }} {{- end }} + +{{/* +Container Security Context +*/}} +{{- define "canary-checker.containerSecurityContext" -}} +allowPrivilegeEscalation: {{- if -eq (.Values.privilegeMode | toLower) "privileged"}}true{{- else }}false{{-end}} +{{- if has (.Values.privilegeMode | toLower) ( list "privileged" "root" ) }} +runAsUser: 0 +runAsGroup: 0 +fsGroup: 0 +{{- if -eq (.Values.privilegeMode | toLower) "privileged"}} +capabilities: + add: + - CAP_NET_RAW +{{- end }} +{{- end }} +{{- end }} + diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index 4632bc851..83aab0c76 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -6,21 +6,18 @@ kind: Deployment {{- end }} metadata: name: {{ include "canary-checker.name" . }} - labels: - {{- include "canary-checker.labels" . | nindent 4 }} + labels: {{- include "canary-checker.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicas }} selector: - matchLabels: - {{- include "canary-checker.selectorLabels" . | nindent 6 }} + matchLabels: {{- include "canary-checker.selectorLabels" . | nindent 6 }} {{- if eq .Values.db.external.enabled false }} {{- if eq .Values.db.embedded.persist true }} serviceName: {{ include "canary-checker.fullname" . }} volumeClaimTemplates: - metadata: name: canarychecker-database - labels: - {{- include "canary-checker.labels" . | nindent 10 }} + labels: {{- include "canary-checker.labels" . | nindent 10 }} spec: storageClassName: {{ .Values.db.embedded.storageClass }} accessModes: ["ReadWriteOnce"] @@ -31,8 +28,7 @@ spec: {{- end }} template: metadata: - labels: - {{- include "canary-checker.selectorLabels" . | nindent 8 }} + labels: {{- include "canary-checker.selectorLabels" . | nindent 8 }} spec: serviceAccountName: {{ include "canary-checker.fullname" . }}-sa volumes: @@ -58,15 +54,9 @@ spec: - path: "labels" fieldRef: fieldPath: metadata.labels - securityContext: - fsGroup: 1000 containers: - name: {{ include "canary-checker.name" . }} - securityContext: - allowPrivilegeEscalation: {{.Values.allowPrivilegeEscalation}} - capabilities: - add: - - CAP_NET_RAW + securityContext: {{- include "canary-checker.containerSecurityContext" . | nindent 12 }} image: {{ include "canary-checker.imageString" . }} imagePullPolicy: "{{ .Values.image.pullPolicy }}" env: @@ -109,8 +99,7 @@ spec: - "8080" - --disable-postgrest={{ .Values.disablePostgrest }} - --db-migrations={{ .Values.db.runMigrations }} - resources: - {{- toYaml .Values.resources | nindent 12 }} + resources: {{- toYaml .Values.resources | nindent 12 }} livenessProbe: httpGet: path: /health @@ -120,5 +109,5 @@ spec: path: /health port: 8080 {{- with .Values.extra }} - {{- toYaml . | nindent 6 }} + {{- toYaml . | indent 6 }} {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index ccd076f40..8ab0f3f71 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -23,6 +23,12 @@ disablePostgrest: false debug: false logLevel: "-v" +## Options: unprivileged | root | privileged +## unprivileged: runs as noot root user, cannot escalate permissions +## root: runs as root user, cannot escalate permissions. Required to run ping checks +## privileged: runs as root user, may escalate CAP_NET_RAW. Required to run docker and container checks +privilegeMode: unprivileged + db: runMigrations: false embedded: