Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/ghost] feat!: 🔒 💥 Improve security defaults #24785

Merged
merged 2 commits into from
Apr 4, 2024
Merged

[bitnami/ghost] feat!: 🔒 💥 Improve security defaults #24785

merged 2 commits into from
Apr 4, 2024

Conversation

javsalgar
Copy link
Contributor

BREAKING CHANGE

Signed-off-by: Javier Salmeron Garcia jsalmeron@vmware.com

Description of the change

This major bump changes the following security defaults:

  • runAsGroup is changed from 0 to 1001
  • readOnlyRootFilesystem is set to true
  • resourcesPreset is changed from none to the minimum size working in our test suites (NOTE: resourcesPreset is not meant for production usage, but resources adapted to your use case).
  • global.compatibility.openshift.adaptSecurityContext is changed from disabled to auto.

Benefits

  • Better compliance with NSA and MITRE security checklists
  • Improved compatibility with Openshift

Possible drawbacks

This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.

Applicable issues

Additional information

Checklist

  • Chart version bumped in Chart.yaml according to semver. This is not necessary when the changes only affect README.md files.
  • Variables are documented in the values.yaml and added to the README.md using readme-generator-for-helm
  • Title of the pull request follows this pattern [bitnami/<name_of_the_chart>] Descriptive title
  • All commits signed off and in agreement of Developer Certificate of Origin (DCO)

@javsalgar
[bitnami/ghost] feat!: 🔒 💥 Improve security defaults
917e3ac 
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
@github-actions github-actions bot added the ghost label Apr 2, 2024
@bitnami-bot bitnami-bot added the verify Execute verification workflow for these changes label Apr 2, 2024
@github-actions github-actions bot requested a review from juan131 April 2, 2024 09:17
juan131
juan131 reviewed Apr 3, 2024
View reviewed changes
bitnami/ghost/templates/deployment.yaml
Comment on lines +68 to +94
- name: prepare-base-dir
image: {{ include "ghost.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- else if ne .Values.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
command:
- /bin/bash
args:
- -ec
- |
#!/bin/bash

. /opt/bitnami/scripts/liblog.sh

info "Copying base dir to empty dir"
# In order to not break the application functionality (such as upgrades or plugins) we need
# to make the base directory writable, so we need to copy it to an empty dir volume
cp -r --preserve=mode /opt/bitnami/ghost /emptydir/app-base-dir
volumeMounts:
- name: empty-dir
mountPath: /emptydir
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No symlinks?

Copy link
Contributor Author

@javsalgar javsalgar Apr 3, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ghost does not use apache, and Ghost already prints to stdout

@javsalgar
fix: 🐛 Use .containerPort in networkPolicy
2c6018e 
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
@javsalgar javsalgar requested a review from juan131 April 3, 2024 15:40
juan131
juan131 approved these changes Apr 4, 2024
View reviewed changes
Copy link
Contributor

@juan131 juan131 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@javsalgar javsalgar merged commit e7e570a into main Apr 4, 2024
11 checks passed
@javsalgar javsalgar deleted the feature/ghost-major-security branch April 4, 2024 08:02
@github-actions github-actions bot added the solved label Apr 4, 2024
djjudas21 pushed a commit to djjudas21/bitnami-charts that referenced this pull request Apr 17, 2024
@javsalgar @djjudas21
[bitnami/ghost] feat!: 🔒 💥 Improve security defaults (bitnami#24785)
c801a1f 
* [bitnami/ghost] feat!: 🔒 💥 Improve security defaults

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* fix: 🐛 Use .containerPort in networkPolicy

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juan131 juan131 juan131 approved these changes

Assignees

@juan131 juan131

Labels
bitnami ghost solved verify Execute verification workflow for these changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@javsalgar @juan131 @bitnami-bot