chore: enforce restricted PSS

Signed-off-by: SdgJlbl <[email protected]>
Substra · Jun 24, 2024 · 4c3a906 · 4c3a906
1 parent f267d4f
commit 4c3a906
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 13 deletions.
diff --git a/charts/substra-frontend/CHANGELOG.md b/charts/substra-frontend/CHANGELOG.md
@@ -1,8 +1,13 @@
 # Changelog
 
 <!-- towncrier release notes start -->
-## [1.2.0] - 2024-06-21
+## [1.2.1] - 2024-06-24
+
+### Added
 
+- Security Context at the pod and container level to ensure that the chart can run according to the restricted level of the Pod Security Standard
+
+## [1.2.0] - 2024-06-21
 
 ### Added
 

diff --git a/charts/substra-frontend/Chart.yaml b/charts/substra-frontend/Chart.yaml
@@ -10,6 +10,6 @@ type: application
 maintainers:
   - name: Substra Team
     email: [email protected]
-version: 1.2.0
+version: 1.2.1
 appVersion: 0.51.0 # should be same as in package.json
 kubeVersion: '>= 1.19.0-0'
diff --git a/charts/substra-frontend/templates/deployment.yaml b/charts/substra-frontend/templates/deployment.yaml
@@ -27,7 +27,15 @@ spec:
       initContainers:
         - name: template-html
           image: "{{ trimSuffix "/" .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          command: 
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+                - ALL
+          command:
             - sh
           args:
             - -c
@@ -75,7 +83,7 @@ spec:
         - name: nginx-cache
           emptyDir: {}
         - name: nginx-run
-          emptyDir: {} 
+          emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/substra-frontend/values.yaml b/charts/substra-frontend/values.yaml
@@ -21,16 +21,24 @@ serviceAccount:
 
 podAnnotations: {}
 
-podSecurityContext: {}
-  # fsGroup: 2000
+podSecurityContext:
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+  fsGroup: 1000
+  runAsUser: 1000
+  runAsGroup: 1000
 
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+securityContext:
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
 
 service:
   type: ClusterIP