Enhance Security of This Helm Chart Based on Pod Security Standards

charts/coturn/Chart.yaml

@@ -3,7 +3,7 @@ name: coturn
 type: application
 description: A Helm chart to deploy coturn
 home: "https://github.com/small-hack/coturn-chart"
-version: 5.1.1
+version: 5.2.0
 
 # renovate: image=coturn/coturn
 appVersion: 4.6.2

charts/coturn/README.md

@@ -1,6 +1,6 @@
 # coturn
 
-![Version: 5.1.1](https://img.shields.io/badge/Version-5.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.6.2](https://img.shields.io/badge/AppVersion-4.6.2-informational?style=flat-square)
+![Version: 5.2.0](https://img.shields.io/badge/Version-5.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.6.2](https://img.shields.io/badge/AppVersion-4.6.2-informational?style=flat-square)
 
 A Helm chart to deploy coturn
 
@@ -30,6 +30,11 @@ A Helm chart to deploy coturn
 | certificate.enabled | bool | `false` | Enables auto issuing certificates over cert-manager certificates https://cert-manager.io/docs/concepts/certificate/ |
 | certificate.issuerName | string | `"letsencrypt-staging"` | name of cert-manager issuer to use for cert generation. change to production issuer when you're stable |
 | certificate.secret | string | `"turn-tls"` | name of secret to create for ssl cert |
+| containerSecurityContext.allowPrivilegeEscalation | bool | `false` | allow priviledged access |
+| containerSecurityContext.capabilities.add | list | `["NET_BIND_SERVICE"]` | linux cabilities to allow for the coturn k8s pod |
+| containerSecurityContext.capabilities.drop | list | `["ALL"]` | linux cabilities to disallow for the coturn k8s pod |
+| containerSecurityContext.enabled | bool | `true` | Enables Security Context |
+| containerSecurityContext.readOnlyRootFilesystem | bool | `false` | allow modificatin to root filesystem |
 | coturn.auth.existingSecret | string | `""` | existing secret with keys username/password for coturn |
 | coturn.auth.password | string | `""` | password for the main user of the turn server |
 | coturn.auth.secretKeys.password | string | `"password"` | key in existing secret for turn server user's password |
@@ -67,11 +72,12 @@ A Helm chart to deploy coturn
 | mysql.enabled | bool | `false` | enables bitnami mysql subchart, you can disable to use external db |
 | mysql.initdbScriptsConfigMap | string | `"initdb-scripts-config"` | ConfigMap with the initdb scripts (Note: Overrides initdbScripts) |
 | nameOverride | string | `""` | different name for the helm release |
-| persistence.accessMode | string | `"ReadWriteOnce"` | access mode for the PVC, ignored if persistence.existingClaim passed in |
-| persistence.annotations | object | `{}` | annotations for the PVC, ignored if persistence.existingClaim passed in |
-| persistence.existingClaim | string | `""` | existing PVC to use instead of creating one on the fly |
-| persistence.size | string | `"1Mi"` | size of the PVC, ignored if persistence.existingClaim passed in |
-| persistence.storageClass | string | `""` | storageClass for the PVC, ignored if persistence.existingClaim passed in |
+| podSecurityContext.enabled | bool | `true` | Enables Pod Security Context |
+| podSecurityContext.fsGroup | int | `1000` | all processes of the container are also part of the supplementary groupID |
+| podSecurityContext.runAsGroup | int | `1000` | for all Containers in the Pod, all processes run w/ this GroupID |
+| podSecurityContext.runAsNonRoot | bool | `true` | for all Containers in the Pod, all processes run as non-root |
+| podSecurityContext.runAsUser | int | `1000` | for all Containers in the Pod, all processes run w/ this userID |
+| podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | Filter a process's system calls |
 | postgresql.enabled | bool | `false` | enables bitnami postgresql subchart, you can disable to use external db |
 | postgresql.global.postgresql.auth.database | string | `"coturn"` | database to create, ignored if existingSecret is passed in |
 | postgresql.global.postgresql.auth.existingSecret | string | `""` | name of existing Secret to use for postgresql credentials |
@@ -85,15 +91,6 @@ A Helm chart to deploy coturn
 | postgresql.primary.initdb.scriptsConfigMap | string | `""` | ConfigMap with scripts to be run at first boot |
 | replicas | int | `1` |  |
 | resources | object | `{}` | ref: kubernetes.io/docs/concepts/configuration/manage-resources-containers |
-| securityContext.allowPrivilegeEscalation | bool | `true` | allow priviledged access |
-| securityContext.capabilities.add | list | `["NET_BIND_SERVICE"]` | linux cabilities to allow for the coturn k8s pod |
-| securityContext.capabilities.drop | list | `["ALL"]` | linux cabilities to disallow for the coturn k8s pod |
-| securityContext.fsGroup | int | `1000` | all processes of the container are also part of the supplementary groupID |
-| securityContext.readOnlyRootFilesystem | bool | `false` | allow modificatin to root filesystem |
-| securityContext.runAsGroup | int | `1000` | for all Containers in the Pod, all processes run w/ this GroupID |
-| securityContext.runAsUser | int | `1000` | for all Containers in the Pod, all processes run w/ this userID |
 | service.externalTrafficPolicy | string | `""` | I don't actually know what this is 🤔 open a PR if you know    was originally "Local" |
 | service.type | string | `"ClusterIP"` | The type of service to deploy for routing Coturn traffic.   ClusterIP: Recommended for DaemonSet configurations. This will create a              standard Kubernetes service for Coturn within the cluster.              No external networking will be configured as the DaemonSet              will handle binding to each Node's host networking    NodePort:  Recommended for Deployment configurations. This will open              TURN ports on every node and route traffic on these ports to              the Coturn pods. You will need to make sure your cloud              provider supports the cluster config setting,              apiserver.service-node-port-range, as this range must contain              the ports defined above for the service to be created.    LoadBalancer: This was what was originally set for this chart in the                 upstream of this fork, but with no details |
 
-----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)

charts/coturn/templates/deployment.yaml

@@ -20,12 +20,16 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.podSecurityContext.enabled }}
+      {{- with .Values.podSecurityContext }}
       securityContext:
-        readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }}
-        allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation }}
-        capabilities:
-          add: {{ .Values.securityContext.capabilities.add }}
-          drop: {{ .Values.securityContext.capabilities.drop }}
+        runAsNonRoot: {{ .runAsNonRoot }}
+        runAsUser: {{ .runAsUser }}
+        runAsGroup: {{ .runAsGroup }}
+        fsGroup: {{ .fsGroup }}
+        seccompProfile: {{- .seccompProfile | toYaml | nindent 10 }}
+      {{- end }}
+      {{- end }}
       initContainers:
         {{- if or .Values.postgresql.enabled (and .Values.externalDatabase.enabled (eq .Values.externalDatabase.type "postgresql")) }}
         - name: postgresql-isready
@@ -53,6 +57,15 @@ spec:
             - "sh"
             - "-c"
             - "until pg_isready -h $DATABASE_HOSTNAME -U $POSTGRES_USER ; do sleep 2 ; done"
+          {{- if .Values.containerSecurityContext.enabled }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            capabilities:
+              drop: {{- .capabilities.drop | toYaml | nindent 16 }}
+            readOnlyRootFilesystem: {{ .readOnlyRootFilesystem }}
+            allowPrivilegeEscalation: {{ .allowPrivilegeEscalation }}
+          {{- end }}
+          {{- end }}
         {{- else if or .Values.mysql.enabled (and .Values.externalDatabase.enabled (eq .Values.externalDatabase.type "mysql")) }}
         - name: mysql-isready
           image: {{ include "db.isReady.image.repository" . }}:{{ include "db.isReady.image.tag" . }}
@@ -88,6 +101,15 @@ spec:
             - "sh"
             - "-c"
             - "until mysql -h $DATABASE_HOSTNAME -u $MYSQL_USER -p$MYSQL_PASSWORD -e 'SELECT VERSION();' ; do sleep 2 ; done"
+          {{- if .Values.containerSecurityContext.enabled }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            capabilities:
+              drop: {{- .capabilities.drop | toYaml | nindent 16 }}
+            readOnlyRootFilesystem: {{ .readOnlyRootFilesystem }}
+            allowPrivilegeEscalation: {{ .allowPrivilegeEscalation }}
+          {{- end }}
+          {{- end }}
         {{- end }}
         - name: add-secret-values-to-config
           image: "mikefarah/yq:latest"
@@ -179,6 +201,15 @@ spec:
               mountPath: /extra
             - name: {{ .Release.Name }}-config
               mountPath: /data
+          {{- if .Values.containerSecurityContext.enabled }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            capabilities:
+              drop: {{- .capabilities.drop | toYaml | nindent 16 }}
+            readOnlyRootFilesystem: {{ .readOnlyRootFilesystem }}
+            allowPrivilegeEscalation: {{ .allowPrivilegeEscalation }}
+          {{- end }}
+          {{- end }}
       containers:
         - name: "coturn"
           image: {{ include "coturn.image" . }}
@@ -217,6 +248,16 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- if .Values.containerSecurityContext.enabled }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            capabilities:
+              add: {{- .capabilities.add | toYaml | nindent 16 }}
+              drop: {{- .capabilities.drop | toYaml | nindent 16 }}
+            readOnlyRootFilesystem: {{ .readOnlyRootFilesystem }}
+            allowPrivilegeEscalation: {{ .allowPrivilegeEscalation }}
+          {{- end }}
+          {{- end }}
       volumes:
         {{- if .Values.certificate.enabled }}
         - name: tls
@@ -230,12 +271,7 @@ spec:
           configMap:
             name: {{ .Release.Name }}-extra-config
         - name: {{ .Release.Name }}-config
-          persistentVolumeClaim:
-            {{- if .Values.persistence.existingClaim }}
-            claimName: {{ .Values.persistence.existingClaim }}
-            {{ else }}
-            claimName: {{ .Release.Name }}-config
-            {{- end }}
+          emptyDir: {}
         - name: var-tmp
           emptyDir: {}
         {{- if and (not .Values.externalDatabase.enabled) (not .Values.postgresql.enabled) (not .Values.mysql.enabled) }}

charts/coturn/values.yaml

@@ -112,7 +112,6 @@ postgresql:
       # -- ConfigMap with scripts to be run at first boot
       scriptsConfigMap: ""
 
-
 # MySQL chart configuration
 # see: https://github.com/bitnami/charts/tree/main/bitnami/mysql
 mysql:
@@ -137,18 +136,6 @@ mysql:
   # -- ConfigMap with the initdb scripts (Note: Overrides initdbScripts)
   initdbScriptsConfigMap: initdb-scripts-config
 
-persistence:
-  # -- existing PVC to use instead of creating one on the fly
-  existingClaim: ""
-  # -- annotations for the PVC, ignored if persistence.existingClaim passed in
-  annotations: {}
-  # -- access mode for the PVC, ignored if persistence.existingClaim passed in
-  accessMode: "ReadWriteOnce"
-  # -- size of the PVC, ignored if persistence.existingClaim passed in
-  size: "1Mi"
-  # -- storageClass for the PVC, ignored if persistence.existingClaim passed in
-  storageClass: ""
-
 # most coturn config parameters that you really need
 coturn:
   # --  hostname for the coturn server realm
@@ -189,19 +176,30 @@ coturn:
 
 # k8s pod security context:
 # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-securityContext:
+podSecurityContext:
+  # -- Enables Pod Security Context
+  enabled: true
+  # -- for all Containers in the Pod, all processes run as non-root
+  runAsNonRoot: true
   # -- for all Containers in the Pod, all processes run w/ this userID
   runAsUser: 1000
   # -- for all Containers in the Pod, all processes run w/ this GroupID
   runAsGroup: 1000
   # -- all processes of the container are also part of the supplementary groupID
   fsGroup: 1000
-  # -- allow modificatin to root filesystem
-  readOnlyRootFilesystem: false
-  # -- allow priviledged access
-  allowPrivilegeEscalation: true
+  seccompProfile:
+    # --  Filter a process's system calls
+    type: "RuntimeDefault"
+
+containerSecurityContext:
+  # -- Enables Security Context
+  enabled: true
   capabilities:
     # -- linux cabilities to allow for the coturn k8s pod
     add: ["NET_BIND_SERVICE"]
     # -- linux cabilities to disallow for the coturn k8s pod
     drop: ["ALL"]
+  # -- allow modificatin to root filesystem
+  readOnlyRootFilesystem: false
+  # -- allow priviledged access
+  allowPrivilegeEscalation: false