diff --git a/charts/dependency-track/templates/api-server/deployment.yaml b/charts/dependency-track/templates/api-server/deployment.yaml index cee57eb..3058a9f 100644 --- a/charts/dependency-track/templates/api-server/deployment.yaml +++ b/charts/dependency-track/templates/api-server/deployment.yaml @@ -35,15 +35,7 @@ spec: - name: {{ include "dependencytrack.apiServerName" . }} image: {{ include "dependencytrack.apiServerImage" . }} imagePullPolicy: {{ .Values.apiServer.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault + securityContext: {{ toYaml .Values.apiServer.securityContext | nindent 10 }} {{- with .Values.apiServer.command }} command: {{ toYaml . | nindent 8 }} {{- end }} diff --git a/charts/dependency-track/templates/api-server/statefulset.yaml b/charts/dependency-track/templates/api-server/statefulset.yaml index c9e9083..3143e0f 100644 --- a/charts/dependency-track/templates/api-server/statefulset.yaml +++ b/charts/dependency-track/templates/api-server/statefulset.yaml @@ -36,15 +36,7 @@ spec: - name: {{ include "dependencytrack.apiServerName" . }} image: {{ include "dependencytrack.apiServerImage" . }} imagePullPolicy: {{ .Values.apiServer.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault + securityContext: {{ toYaml .Values.apiServer.securityContext | nindent 10 }} {{- with .Values.apiServer.command }} command: {{ toYaml . | nindent 8 }} {{- end }} diff --git a/charts/dependency-track/templates/frontend/deployment.yaml b/charts/dependency-track/templates/frontend/deployment.yaml index 7a964d1..ba56440 100644 --- a/charts/dependency-track/templates/frontend/deployment.yaml +++ b/charts/dependency-track/templates/frontend/deployment.yaml @@ -28,15 +28,7 @@ spec: - name: {{ include "dependencytrack.frontendName" . }} image: {{ include "dependencytrack.frontendImage" . }} imagePullPolicy: {{ .Values.frontend.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - readOnlyRootFilesystem: false # RO filesystems are not supported by the frontend - seccompProfile: - type: RuntimeDefault + securityContext: {{ toYaml .Values.frontend.securityContext | nindent 10 }} {{- with .Values.frontend.command }} command: {{ toYaml . | nindent 8 }} {{- end }} diff --git a/charts/dependency-track/values.yaml b/charts/dependency-track/values.yaml index c25816b..448488b 100644 --- a/charts/dependency-track/values.yaml +++ b/charts/dependency-track/values.yaml @@ -45,6 +45,16 @@ apiServer: # For OpenShift, explicitly set this to null. podSecurityContext: fsGroup: 1000 + # -- Security context of the Container. + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault persistentVolume: enabled: false className: "" @@ -134,6 +144,17 @@ frontend: limits: cpu: 500m memory: 128Mi + # -- Security context of the Container. + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + # RO filesystems are not supported by the frontend + readOnlyRootFilesystem: false + seccompProfile: + type: RuntimeDefault extraEnv: [] extraEnvFrom: [] extraContainers: [] diff --git a/charts/hyades/templates/api-server/deployment.yaml b/charts/hyades/templates/api-server/deployment.yaml index 3eb4bac..8ecec82 100644 --- a/charts/hyades/templates/api-server/deployment.yaml +++ b/charts/hyades/templates/api-server/deployment.yaml @@ -33,15 +33,7 @@ spec: - name: {{ include "hyades.apiServerName" . }} image: {{ include "hyades.apiServerImage" . }} imagePullPolicy: {{ .Values.apiServer.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault + securityContext: {{ toYaml .Values.apiServer.securityContext | nindent 10 }} {{- with .Values.apiServer.command }} command: {{ toYaml . | nindent 8 }} {{- end }} diff --git a/charts/hyades/templates/frontend/deployment.yaml b/charts/hyades/templates/frontend/deployment.yaml index e0b4436..ced5c63 100644 --- a/charts/hyades/templates/frontend/deployment.yaml +++ b/charts/hyades/templates/frontend/deployment.yaml @@ -29,15 +29,7 @@ spec: - name: {{ include "hyades.frontendName" . }} image: {{ include "hyades.frontendImage" . }} imagePullPolicy: {{ .Values.frontend.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - readOnlyRootFilesystem: false # RO filesystems are not supported by the frontend - seccompProfile: - type: RuntimeDefault + securityContext: {{ toYaml .Values.frontend.securityContext | nindent 10 }} {{- with .Values.frontend.command }} command: {{ toYaml . | nindent 8 }} {{- end }} diff --git a/charts/hyades/templates/mirror-service/deployment.yaml b/charts/hyades/templates/mirror-service/deployment.yaml index e56cc47..56b7b09 100644 --- a/charts/hyades/templates/mirror-service/deployment.yaml +++ b/charts/hyades/templates/mirror-service/deployment.yaml @@ -32,15 +32,7 @@ spec: - name: {{ include "hyades.mirrorServiceName" . }} image: {{ include "hyades.mirrorServiceImage" . }} imagePullPolicy: {{ .Values.mirrorService.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault + securityContext: {{ toYaml .Values.mirrorService.securityContext | nindent 10 }} {{- with .Values.mirrorService.command }} command: {{ toYaml . | nindent 8 }} {{- end }} diff --git a/charts/hyades/templates/notification-publisher/deployment.yaml b/charts/hyades/templates/notification-publisher/deployment.yaml index 261b60c..98ec0e6 100644 --- a/charts/hyades/templates/notification-publisher/deployment.yaml +++ b/charts/hyades/templates/notification-publisher/deployment.yaml @@ -32,15 +32,7 @@ spec: - name: {{ include "hyades.notificationPublisherName" . }} image: {{ include "hyades.notificationPublisherImage" . }} imagePullPolicy: {{ .Values.notificationPublisher.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault + securityContext: {{ toYaml .Values.notificationPublisher.securityContext | nindent 10 }} {{- with .Values.notificationPublisher.command }} command: {{ toYaml . | nindent 8 }} {{- end }} diff --git a/charts/hyades/templates/repo-meta-analyzer/deployment.yaml b/charts/hyades/templates/repo-meta-analyzer/deployment.yaml index 21d6ee8..c7edba0 100644 --- a/charts/hyades/templates/repo-meta-analyzer/deployment.yaml +++ b/charts/hyades/templates/repo-meta-analyzer/deployment.yaml @@ -32,15 +32,7 @@ spec: - name: {{ include "hyades.repoMetaAnalyzerName" . }} image: {{ include "hyades.repoMetaAnalyzerImage" . }} imagePullPolicy: {{ .Values.repoMetaAnalyzer.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault + securityContext: {{ toYaml .Values.repoMetaAnalyzer.securityContext | nindent 10 }} {{- with .Values.repoMetaAnalyzer.command }} command: {{ toYaml . | nindent 8 }} {{- end }} diff --git a/charts/hyades/templates/vuln-analyzer/deployment.yaml b/charts/hyades/templates/vuln-analyzer/deployment.yaml index 16295f1..d8f3fc2 100644 --- a/charts/hyades/templates/vuln-analyzer/deployment.yaml +++ b/charts/hyades/templates/vuln-analyzer/deployment.yaml @@ -32,15 +32,7 @@ spec: - name: {{ include "hyades.vulnAnalyzerName" . }} image: {{ include "hyades.vulnAnalyzerImage" . }} imagePullPolicy: {{ .Values.vulnAnalyzer.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault + securityContext: {{ toYaml .Values.vulnAnalyzer.securityContext | nindent 10 }} {{- with .Values.vulnAnalyzer.command }} command: {{ toYaml . | nindent 8 }} {{- end }} diff --git a/charts/hyades/templates/vuln-analyzer/statefulset.yaml b/charts/hyades/templates/vuln-analyzer/statefulset.yaml index 5aa2f34..eab1f98 100644 --- a/charts/hyades/templates/vuln-analyzer/statefulset.yaml +++ b/charts/hyades/templates/vuln-analyzer/statefulset.yaml @@ -33,15 +33,7 @@ spec: - name: {{ include "hyades.vulnAnalyzerName" . }} image: {{ include "hyades.vulnAnalyzerImage" . }} imagePullPolicy: {{ .Values.vulnAnalyzer.image.pullPolicy }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsNonRoot: true - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault + securityContext: {{ toYaml .Values.vulnAnalyzer.securityContext | nindent 10 }} {{- with .Values.vulnAnalyzer.command }} command: {{ toYaml . | nindent 8 }} {{- end }} diff --git a/charts/hyades/values.yaml b/charts/hyades/values.yaml index 2a77507..895eb22 100644 --- a/charts/hyades/values.yaml +++ b/charts/hyades/values.yaml @@ -47,6 +47,16 @@ apiServer: limits: cpu: "4" memory: 2Gi + # -- Security context of the Container. + securityContext: &hyadesSecurityContext + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault extraEnv: [] extraEnvFrom: [] probes: @@ -124,6 +134,17 @@ frontend: limits: cpu: 500m memory: 128Mi + # -- Security context of the Container. + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + # RO filesystems are not supported by the frontend + readOnlyRootFilesystem: false + seccompProfile: + type: RuntimeDefault extraEnv: [] extraEnvFrom: [] probes: @@ -174,6 +195,8 @@ mirrorService: limits: cpu: "2" memory: 2Gi + # -- Security context of the container. + securityContext: *hyadesSecurityContext extraEnv: [] extraEnvFrom: [] probes: @@ -218,6 +241,8 @@ notificationPublisher: limits: cpu: "2" memory: 2Gi + # -- Security context of the container. + securityContext: *hyadesSecurityContext extraEnv: [] extraEnvFrom: [] probes: @@ -262,6 +287,8 @@ repoMetaAnalyzer: limits: cpu: "2" memory: 2Gi + # -- Security context of the container. + securityContext: *hyadesSecurityContext extraEnv: [] extraEnvFrom: [] probes: @@ -311,6 +338,8 @@ vulnAnalyzer: limits: cpu: "2" memory: 2Gi + # -- Security context of the container. + securityContext: *hyadesSecurityContext persistentVolume: # -- Whether to use a persistent volume to store application state. # Has no effect unless useStatefulSet is true. Is pointless unless