Merge pull request #32 from PrivateBin/securitycontext

add security context that we recommend for the image
PrivateBin · Nov 4, 2021 · 41ed99f · 41ed99f
2 parents 93ac46b + 7ce49f8
commit 41ed99f
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 2 deletions.
diff --git a/charts/privatebin/Chart.yaml b/charts/privatebin/Chart.yaml
@@ -5,7 +5,7 @@ description: A Helm chart for installing PrivateBin
 name: privatebin
 home: https://privatebin.info/
 icon: https://raw.githubusercontent.com/PrivateBin/assets/master/images/preview/icon.png
-version: 0.9.1
+version: 0.10.0
 maintainers:
   - name: bdashrad
     email: bdashrad@gmail.com

diff --git a/charts/privatebin/templates/_helpers.tpl b/charts/privatebin/templates/_helpers.tpl
@@ -51,4 +51,4 @@ Return the appropriate apiVersion for podsecuritypolicy.
 {{- else if semverCompare "^1.10-0" .Capabilities.KubeVersion.GitVersion -}}
 {{- print "policy/v1beta1" -}}
 {{- end -}}
-{{- end -}}
+{{- end -}}
diff --git a/charts/privatebin/templates/deployment.yaml b/charts/privatebin/templates/deployment.yaml
@@ -33,6 +33,10 @@ spec:
       {{- end }}
     spec:
       serviceAccountName: {{ include "privatebin.serviceAccountName" . }}
+      securityContext:
+        runAsUser: {{ .Values.securityContext.runAsUser }}
+        runAsGroup: {{ .Values.securityContext.runAsGroup }}
+        fsGroup: {{ .Values.securityContext.fsGroup }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}"
@@ -41,6 +45,10 @@ spec:
             - name: http
               containerPort: 8080
               protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
+            privileged: false
+            allowPrivilegeEscalation: false
           livenessProbe:
             httpGet:
               path: /

diff --git a/charts/privatebin/templates/statefulset.yaml b/charts/privatebin/templates/statefulset.yaml
@@ -14,6 +14,7 @@ metadata:
       {{ toYaml .Values.additionalLabels | nindent 4 }}
     {{- end }}
 spec:
+  serviceName: {{ include "privatebin.fullname" . }}
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ include "privatebin.name" . }}
@@ -33,6 +34,22 @@ spec:
         {{- end }}
     spec:
       serviceAccountName: {{ include "privatebin.serviceAccountName" . }}
+      securityContext:
+        runAsUser: {{ .Values.securityContext.runAsUser }}
+        runAsGroup: {{ .Values.securityContext.runAsGroup }}
+        fsGroup: {{ .Values.securityContext.fsGroup }}
+      initContainers:
+        - name: set-volume-permissions
+          image: "{{ .Values.initChownData.image.repository }}:{{ .Values.initChownData.image.tag }}"
+          imagePullPolicy: {{ .Values.initChownData.image.pullPolicy }}
+          command:
+            - chown
+            - -R
+            - "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }}"
+            - /srv/cfg
+          volumeMounts:
+            - name: configs
+              mountPath: /srv/cfg
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}"
@@ -41,6 +58,10 @@ spec:
             - name: http
               containerPort: 8080
               protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
+            privileged: false
+            allowPrivilegeEscalation: false
           livenessProbe:
             httpGet:
               path: /

diff --git a/charts/privatebin/values.yaml b/charts/privatebin/values.yaml
@@ -41,6 +41,17 @@ controller:
     ##
     # storageClass: "-"
 
+initChownData:
+  image:
+    repository: busybox
+    tag: 1.31.1
+    pullPolicy: IfNotPresent
+
+securityContext:
+  runAsUser: 65534
+  runAsGroup: 82
+  fsGroup: 82
+
 ingress:
   enabled: false
   annotations: {}