goharbor · funkypenguin · Sep 19, 2022 · Sep 19, 2022 · Sep 21, 2022 · Sep 21, 2022
diff --git a/README.md b/README.md
diff --git a/templates/chartmuseum/chartmuseum-dpl.yaml b/templates/chartmuseum/chartmuseum-dpl.yaml
@@ -41,6 +41,7 @@ spec:
       securityContext:
         runAsUser: 10000
         fsGroup: 10000
+        runAsNonRoot: true
 {{- if .Values.chartmuseum.serviceAccountName }}
       serviceAccountName: {{ .Values.chartmuseum.serviceAccountName }}
 {{- end -}}
@@ -141,6 +142,10 @@ spec:
         {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
         {{- end }}
+        {{- with .Values.chartmuseum.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
       volumes:
       - name: chartmuseum-data
       {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }}

diff --git a/templates/core/core-dpl.yaml b/templates/core/core-dpl.yaml
@@ -33,6 +33,7 @@ spec:
       securityContext:
         runAsUser: 10000
         fsGroup: 10000
+        runAsNonRoot: true
 {{- if .Values.core.serviceAccountName }}
       serviceAccountName: {{ .Values.core.serviceAccountName }}
 {{- end -}}
@@ -144,6 +145,10 @@ spec:
         resources:
 {{ toYaml .Values.core.resources | indent 10 }}
 {{- end }}
+        {{- with .Values.core.containerSecurityContext }}
+        securityContext:
+          {{ toYaml . | nindent 10 }}
+        {{- end }}        
       volumes:
       - name: config
         configMap:

diff --git a/templates/database/database-ss.yaml b/templates/database/database-ss.yaml
@@ -28,6 +28,7 @@ spec:
       securityContext:
         runAsUser: 999
         fsGroup: 999
+        runAsNonRoot: true
 {{- if .Values.database.internal.serviceAccountName }}
       serviceAccountName: {{ .Values.database.internal.serviceAccountName }}
 {{- end -}}
@@ -51,6 +52,10 @@ spec:
         resources:
 {{ toYaml .Values.database.internal.initContainer.migrator.resources | indent 10 }}
 {{- end }}
+        {{- with .Values.database.internal.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         volumeMounts:
           - name: database-data
             mountPath: /var/lib/postgresql/data
@@ -68,6 +73,10 @@ spec:
         resources:
 {{ toYaml .Values.database.internal.initContainer.permissions.resources | indent 10 }}
 {{- end }}
+        {{- with .Values.database.internal.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         volumeMounts:
           - name: database-data
             mountPath: /var/lib/postgresql/data
@@ -106,6 +115,10 @@ spec:
           subPath: {{ $database.subPath }}
         - name: shm-volume
           mountPath: /dev/shm
+        {{- with .Values.database.internal.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
       volumes:
       - name: shm-volume
         emptyDir:

diff --git a/templates/exporter/exporter-dpl.yaml b/templates/exporter/exporter-dpl.yaml
@@ -26,6 +26,7 @@ spec:
       securityContext:
         runAsUser: 10000
         fsGroup: 10000
+        runAsNonRoot: true
 {{- if .Values.exporter.serviceAccountName }}
       serviceAccountName: {{ .Values.exporter.serviceAccountName }}
 {{- end -}}
@@ -80,6 +81,10 @@ spec:
           # There are some metric data are collectd from harbor core.
           # When internal TLS is enabled, the Exporter need the CA file to collect these data.
         {{- end }}
+        {{- with .Values.exporter.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
       volumes:
       - name: config
         secret:

diff --git a/templates/exporter/exporter-svc.yaml b/templates/exporter/exporter-svc.yaml
@@ -7,7 +7,7 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 spec:
   ports:
-    - name: {{ template "harbor.metricsPortName" . }}
+    - name: metrics
       port: {{ .Values.metrics.exporter.port }}
   selector:
 {{ include "harbor.matchLabels" . | indent 4 }}

diff --git a/templates/jobservice/jobservice-dpl.yaml b/templates/jobservice/jobservice-dpl.yaml
@@ -39,6 +39,7 @@ spec:
       securityContext:
         runAsUser: 10000
         fsGroup: 10000
+        runAsNonRoot: true
 {{- if .Values.jobservice.serviceAccountName }}
       serviceAccountName: {{ .Values.jobservice.serviceAccountName }}
 {{- end -}}
@@ -117,6 +118,10 @@ spec:
         {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
         {{- end }}
+        {{- with .Values.jobservice.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
       volumes:
       - name: jobservice-config
         configMap:

diff --git a/templates/nginx/deployment.yaml b/templates/nginx/deployment.yaml
@@ -37,6 +37,7 @@ spec:
       securityContext:
         runAsUser: 10000
         fsGroup: 10000
+        runAsNonRoot: true
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -82,6 +83,10 @@ spec:
         - name: certificate
           mountPath: /etc/nginx/cert
         {{- end }}
+        {{- with .Values.nginx.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
       volumes:
       - name: config
         configMap:

diff --git a/templates/notary/notary-server.yaml b/templates/notary/notary-server.yaml
@@ -27,6 +27,7 @@ spec:
       securityContext:
         runAsUser: 10000
         fsGroup: 10000
+        runAsNonRoot: true
 {{- if .Values.notary.server.serviceAccountName }}
       serviceAccountName: {{ .Values.notary.server.serviceAccountName }}
 {{- end -}}
@@ -75,6 +76,10 @@ spec:
         - name: signer-certificate
           mountPath: /etc/ssl/notary/ca.crt
           subPath: ca.crt
+        {{- with .Values.notary.server.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
       volumes:
       - name: config
         secret:

diff --git a/templates/notary/notary-signer.yaml b/templates/notary/notary-signer.yaml
@@ -26,6 +26,7 @@ spec:
       securityContext:
         runAsUser: 10000
         fsGroup: 10000
+        runAsNonRoot: true
 {{- if .Values.notary.signer.serviceAccountName }}
       serviceAccountName: {{ .Values.notary.signer.serviceAccountName }}
 {{- end -}}
@@ -76,6 +77,10 @@ spec:
         - name: signer-certificate
           mountPath: /etc/ssl/notary/tls.key
           subPath: tls.key
+        {{- with .Values.notary.signer.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
       volumes:
       - name: config
         secret:

diff --git a/templates/portal/deployment.yaml b/templates/portal/deployment.yaml
@@ -30,6 +30,7 @@ spec:
       securityContext:
         runAsUser: 10000
         fsGroup: 10000
+        runAsNonRoot: true
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -70,6 +71,10 @@ spec:
         - name: portal-internal-certs
           mountPath: /etc/harbor/ssl/portal
         {{- end }}
+        {{- with .Values.portal.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
       volumes:
       - name: portal-config
         configMap:

diff --git a/templates/redis/statefulset.yaml b/templates/redis/statefulset.yaml
@@ -27,6 +27,7 @@ spec:
       securityContext:
         runAsUser: 999
         fsGroup: 999
+        runAsNonRoot: true
 {{- if .Values.redis.internal.serviceAccountName }}
       serviceAccountName: {{ .Values.redis.internal.serviceAccountName }}
 {{- end -}}
@@ -58,6 +59,10 @@ spec:
         - name: data
           mountPath: /var/lib/redis
           subPath: {{ $redis.subPath }}
+        {{- with .Values.redis.internal.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}          
       {{- if not .Values.persistence.enabled }}
       volumes:
       - name: data

diff --git a/templates/registry/registry-dpl.yaml b/templates/registry/registry-dpl.yaml
@@ -42,6 +42,7 @@ spec:
         runAsUser: 10000
         fsGroup: 10000
         fsGroupChangePolicy: OnRootMismatch
+        runAsNonRoot: true
 {{- if .Values.registry.serviceAccountName }}
       serviceAccountName: {{ .Values.registry.serviceAccountName }}
 {{- end -}}
@@ -137,6 +138,10 @@ spec:
         {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
         {{- end }}
+        {{- with .Values.registry.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}        
       - name: registryctl
         image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
@@ -237,6 +242,10 @@ spec:
         {{- if .Values.caBundleSecretName }}
 {{ include "harbor.caBundleVolumeMount" . | indent 8 }}
         {{- end }}
+        {{- with .Values.registry.controller.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}        
       volumes:
       - name: registry-htpasswd
         secret:

diff --git a/templates/registry/registry-svc.yaml b/templates/registry/registry-svc.yaml
@@ -6,7 +6,7 @@ metadata:
 {{ include "harbor.labels" . | indent 4 }}
 spec:
   ports:
-    - name: {{ ternary "https-registry" "http-registry" .Values.internalTLS.enabled }}
+    - name: registry
       port: {{ template "harbor.registry.servicePort" . }}
 
     - name: {{ ternary "https-controller" "http-controller" .Values.internalTLS.enabled }}

diff --git a/templates/trivy/trivy-sts.yaml b/templates/trivy/trivy-sts.yaml
@@ -40,14 +40,16 @@ spec:
       securityContext:
         runAsUser: 10000
         fsGroup: 10000
+        runAsNonRoot: true
       automountServiceAccountToken: {{ .Values.trivy.automountServiceAccountToken | default false }}
       containers:
         - name: trivy
           image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }}
           imagePullPolicy: {{ .Values.imagePullPolicy }}
+          {{- with .Values.trivy.containerSecurityContext }}
           securityContext:
-            privileged: false
-            allowPrivilegeEscalation: false
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           env:
           {{- if has "trivy" .Values.proxy.components }}
             - name: HTTP_PROXY
@@ -144,7 +146,7 @@ spec:
             failureThreshold: 3
           resources:
 {{ toYaml .Values.trivy.resources | indent 12 }}
-      {{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }}
+      {{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }}   
       volumes:
       {{- if .Values.internalTLS.enabled }}
       - name: trivy-internal-certs