kyma-project · kyma-bot · Oct 18, 2022 · Oct 6, 2022 · Oct 6, 2022
@@ -57,6 +57,10 @@ spec:
       hostAliases:
       {{- toYaml .Values.deployment.host_aliases | nindent 6 }}
       {{- end }}
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - image: {{ include "imageurl" (dict "reg" .Values.global.containerRegistry "img" .Values.global.images.kiali) }}
         imagePullPolicy: {{ .Values.deployment.image_pull_policy | default "Always" }}
@@ -69,7 +73,9 @@ spec:
           allowPrivilegeEscalation: false
           privileged: false
           readOnlyRootFilesystem: true
-          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
         ports:
         - name: api-port
           containerPort: {{ .Values.server.port | default 20001 }}

@@ -31,6 +31,10 @@ spec:
       serviceAccountName: {{ template "kiali-server.fullname" . }}-auth-proxy
       {{- if or .Values.authProxy.priorityClassName .Values.global.highPriorityClassName }}
       priorityClassName: {{ coalesce .Values.authProxy.priorityClassName .Values.global.highPriorityClassName }}
+      {{- end }}
+      {{- if .Values.authProxy.securityContext }}
+      securityContext:
+{{ toYaml .Values.authProxy.securityContext | nindent 8 }}
       {{- end }}
       containers:
       - image: {{ include "imageurl" (dict "reg" .Values.global.containerRegistry "img" .Values.global.images.oauth2_proxy) }}
@@ -66,9 +70,9 @@ spec:
           httpGet:
             path: /ping
             port: http
-        {{- if .Values.authProxy.securityContext }}
+        {{- if .Values.authProxy.containerSecurityContext }}
         securityContext:
-{{ toYaml .Values.authProxy.securityContext | nindent 10 }}
+{{ toYaml .Values.authProxy.containerSecurityContext | nindent 10 }}
         {{- end }}
         resources:
 {{ toYaml .Values.authProxy.resources | indent 10 }}

@@ -48,9 +48,19 @@ authProxy:
   env: {}
   nodeSelector: {}
   securityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  containerSecurityContext:
     allowPrivilegeEscalation: false
     privileged: false
-    runAsNonRoot: true
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
   image:
     pullPolicy: IfNotPresent
   priorityClassName: "kyma-system-priority"
@@ -136,6 +146,13 @@ deployment:
       cpu: 100m
       memory: 140Mi
   secret_name: "kiali"
+  security_context:
+    allowPrivilegeEscalation: false
+    privileged: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
   service_annotations: {}
   service_type: ""
   tolerations: []

@@ -95,7 +95,10 @@ spec:
         {{- if .Values.chunkCleaner.enabled }}
         - name: chunk-cleaner
           image: {{ include "imageurl" (dict "reg" .Values.global.containerRegistry "img" .Values.global.images.alpine) }}
-          resources: {{- toYaml .Values.chunkCleaner.resources | nindent 12 }}
+          resources:
+            {{- toYaml .Values.chunkCleaner.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.chunkCleaner.securityContext | nindent 12 }}
           command:
             - /bin/sh
             - -c

@@ -161,7 +161,7 @@ podManagementPolicy: OrderedReady
 
 rbac:
   create: true
-  pspEnabled: true
+  pspEnabled: false
 
 readinessProbe:
   httpGet:
@@ -184,11 +184,16 @@ podSecurityContext:
   runAsGroup: 10001
   runAsNonRoot: true
   runAsUser: 10001
+  seccompProfile:
+    type: RuntimeDefault
 
 securityContext:
   allowPrivilegeEscalation: false
   privileged: false
   readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
 
 service:
   type: ClusterIP
@@ -298,6 +303,13 @@ chunkCleaner:
     requests:
       cpu: 10m
       memory: 10Mi
+  securityContext:
+    allowPrivilegeEscalation: false
+    privileged: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
 
 grafana:
   datasource:

@@ -36,6 +36,10 @@ spec:
       serviceAccountName: {{ .Release.Name }}-auth-proxy-{{ template "grafana.name" . }}
       {{- if or .Values.priorityClassName .Values.global.priorityClassName }}
       priorityClassName: {{ coalesce .Values.priorityClassName .Values.global.priorityClassName }}
+      {{- end }}
+      {{- if .Values.kyma.authProxy.securityContext }}
+      securityContext:
+{{ toYaml .Values.kyma.authProxy.securityContext | nindent 8 }}
       {{- end }}
       containers:
       - image: "{{ include "imageurl" (dict "reg" .Values.global.containerRegistry "img" .Values.global.images.oauth2_proxy) }}"
@@ -71,9 +75,9 @@ spec:
           httpGet:
             path: /ping
             port: http
-        {{- if .Values.kyma.authProxy.securityContext }}
+        {{- if .Values.kyma.authProxy.containerSecurityContext }}
         securityContext:
-{{ toYaml .Values.kyma.authProxy.securityContext | nindent 10 }}
+{{ toYaml .Values.kyma.authProxy.containerSecurityContext | nindent 10 }}
         {{- end }}
         resources:
 {{ toYaml .Values.kyma.authProxy.resources | indent 10 }}

@@ -95,10 +95,17 @@ podSecurityContext:
   runAsUser: 472
   runAsGroup: 472
   fsGroup: 472
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
 
 containerSecurityContext:
   allowPrivilegeEscalation: false
   privileged: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
 extraConfigmapMounts:
   []
   # - name: certs-configmap
@@ -130,6 +137,7 @@ downloadDashboards:
   securityContext:
     allowPrivilegeEscalation: false
     privileged: false
+    readOnlyRootFilesystem: true
 
 ## Pod Annotations
 # podAnnotations: {}
@@ -307,7 +315,7 @@ initChownData:
   ## If false, data ownership will not be reset at startup
   ## This allows the prometheus-server to be run with an arbitrary user
   ##
-  enabled: true
+  enabled: false
 
   ## initChownData container image
   ##
@@ -637,6 +645,10 @@ sidecar:
   securityContext:
     allowPrivilegeEscalation: false
     privileged: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
   # skipTlsVerify Set to true to skip tls verification for kube api calls
   # skipTlsVerify: true
   enableUniqueFilenames: false
@@ -798,9 +810,19 @@ kyma:
     env: {}
     nodeSelector: {}
     securityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+      fsGroup: 1000
+      runAsNonRoot: true
+      seccompProfile:
+        type: RuntimeDefault
+    containerSecurityContext:
       allowPrivilegeEscalation: false
       privileged: false
-      runAsNonRoot: true
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - ALL
     port: 3000
     image:
       pullPolicy: IfNotPresent

@@ -91,7 +91,7 @@ prometheus:
 ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
 ##
 podSecurityPolicy:
-  enabled: true
+  enabled: false
   annotations: {}
     ## Specify pod annotations
     ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
@@ -109,13 +109,20 @@ securityContext:
   runAsGroup: 65534
   runAsUser: 65534
   fsGroup: 65534
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
 
 ## Specify security settings for a Container
 ## Allows overrides and additional options compared to (Pod) securityContext
 ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
 containerSecurityContext:
   allowPrivilegeEscalation: false
   privileged: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
 
 ## Node labels for pod assignment
 ## Ref: https://kubernetes.io/docs/user-guide/node-selection/

@@ -424,6 +424,10 @@ configmapReload:
     containerSecurityContext:
       allowPrivilegeEscalation: false
       privileged: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - ALL
 
     ## configmap-reload resource requests and limits
     ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
@@ -1110,11 +1114,17 @@ server:
     runAsNonRoot: true
     runAsGroup: 65534
     fsGroup: 65534
+    seccompProfile:
+      type: RuntimeDefault
 
   ## Security context to be added to server container
   containerSecurityContext:
     allowPrivilegeEscalation: false
     privileged: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
 
   service:
     ## If false, no Service will be created for the Prometheus server

@@ -84,18 +84,24 @@ securityContext:
   runAsGroup: 65534
   runAsNonRoot: true
   runAsUser: 65534
+  seccompProfile:
+    type: RuntimeDefault
 
 containerSecurityContext:
   allowPrivilegeEscalation: false
   privileged: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
 
 rbac:
   ## If true, create & use RBAC resources
   ##
   create: true
   ## If true, create & use Pod Security Policy resources
   ## https://kubernetes.io/docs/concepts/policy/pod-security-policy/
-  pspEnabled: true
+  pspEnabled: false
   pspAnnotations: {}
 
 # for deployments that have node_exporter deployed outside of the cluster, list

@@ -123,9 +123,15 @@ podSecurityContext:
   fsGroup: 65534
   runAsUser: 65534
   runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
 containerSecurityContext:
   allowPrivilegeEscalation: false
   privileged: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
 
 ## Affinity for pod assignment
 ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

@@ -181,7 +181,7 @@ global:
     ## Create ClusterRoles that extend the existing view, edit and admin ClusterRoles to interact with prometheus-operator CRDs
     ## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
     createAggregateClusterRoles: false
-    pspEnabled: true
+    pspEnabled: false
     pspAnnotations: {}
       ## Specify pod annotations
       ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
@@ -749,6 +749,8 @@ alertmanager:
       runAsNonRoot: true
       runAsUser: 1000
       fsGroup: 2000
+      seccompProfile:
+        type: RuntimeDefault
 
     ## ListenLocal makes the Alertmanager server listen on loopback, so that it does not bind against the Pod IP.
     ## Note this is only for the Alertmanager UI, not the gossip communication.
@@ -848,7 +850,7 @@ grafana:
   rbac:
     ## If true, Grafana PSPs will be created
     ##
-    pspEnabled: true
+    pspEnabled: false
 
   ingress:
     ## If true, Grafana Ingress will be created
@@ -1697,7 +1699,7 @@ prometheus-node-exporter:
   rbac:
     ## If true, create PSPs for node-exporter
     ##
-    pspEnabled: true
+    pspEnabled: false
 
 ## Manages Prometheus and Alertmanager components
 ##
@@ -1960,6 +1962,8 @@ prometheusOperator:
     runAsGroup: 65534
     runAsNonRoot: true
     runAsUser: 65534
+    seccompProfile:
+      type: RuntimeDefault
 
   ## Container-specific security context configuration
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
@@ -1968,6 +1972,9 @@ prometheusOperator:
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: true
     privileged: false
+    capabilities:
+      drop:
+        - ALL
 
   ## Prometheus-operator image
   ##
@@ -2904,6 +2911,8 @@ prometheus:
       runAsNonRoot: true
       runAsUser: 1000
       fsGroup: 2000
+      seccompProfile:
+        type: RuntimeDefault
 
     ## Priority class assigned to the Pods
     ##