update sec context

kubeshop · Nov 8, 2024 · dbc8a0f · dbc8a0f
1 parent 45cb0eb
commit dbc8a0f
Show file tree

Hide file tree

Showing 10 changed files with 27 additions and 37 deletions.
diff --git a/charts/testkube-api/templates/_helpers.tpl b/charts/testkube-api/templates/_helpers.tpl
@@ -424,7 +424,7 @@ Define containerSecurityContext
 */}}
 {{- define "testkube-api.containerSecurityContext" -}}
 {{- if .Values.global.containerSecurityContext }}
-{{- toYaml .Values.global.containerSecurityContext}}
+{{- toYaml .Values.global.containerSecurityContext }}
 {{- else }}
 {{- toYaml .Values.securityContext }}
 {{- end }}
@@ -446,7 +446,7 @@ Define containerSecurityContext for MinIo
 */}}
 {{- define "minio.containerSecurityContext" -}}
 {{- if .Values.global.containerSecurityContext }}
-{{- toYaml .Values.global.containerSecurityContext}}
+{{- toYaml .Values.global.containerSecurityContext }}
 {{- else }}
 {{- toYaml .Values.minio.securityContext }}
 {{- end }}

diff --git a/charts/testkube-api/templates/deployment.yaml b/charts/testkube-api/templates/deployment.yaml
@@ -288,10 +288,8 @@ spec:
             {{- with .Values.global.volumes.additionalVolumeMounts }}
             {{- toYaml . | nindent 12 -}}
             {{- end }}
-          securityContext:
-            {{ include "testkube-api.containerSecurityContext" . | trim }}
-      securityContext:
-        {{ include "testkube-api.podSecurityContext" . | trim }}
+          securityContext: {{ include "testkube-api.containerSecurityContext" . | nindent 12 }}
+      securityContext: {{ include "testkube-api.podSecurityContext" . | nindent 8 }}
       volumes:
         - name: testkube-tmp
           emptyDir: {}

diff --git a/charts/testkube-api/templates/minio.yaml b/charts/testkube-api/templates/minio.yaml
@@ -152,10 +152,8 @@ spec:
           {{- if .Values.minio.resources }}
           resources: {{ toYaml .Values.minio.resources | nindent 12 }}
           {{- end }}
-          securityContext:
-            {{ include "minio.containerSecurityContext" . | trim }}
-      securityContext:
-        {{ include "minio.podSecurityContext" . | trim }}
+          securityContext: {{ include "minio.containerSecurityContext" . | nindent 12 }}
+      securityContext: {{ include "minio.podSecurityContext" . | nindent 8 }}
       {{- if  .Values.minio.serviceAccountName }}
       serviceAccountName: {{ .Values.minio.serviceAccountName }}
       {{- end }}

diff --git a/charts/testkube-logs/templates/_helpers.tpl b/charts/testkube-logs/templates/_helpers.tpl
@@ -112,7 +112,7 @@ Define containerSecurityContext
 */}}
 {{- define "testkube-logs.containerSecurityContext" -}}
 {{- if .Values.global.containerSecurityContext }}
-{{- toYaml .Values.global.containerSecurityContext}}
+{{- toYaml .Values.global.containerSecurityContext }}
 {{- else }}
 {{- toYaml .Values.securityContext }}
 {{- end }}

diff --git a/charts/testkube-logs/templates/deployment.yaml b/charts/testkube-logs/templates/deployment.yaml
@@ -163,8 +163,7 @@ spec:
           {{- if .Values.extraEnvVars }}
             {{ include "global.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 | trim }}
           {{- end }}
-          securityContext:
-            {{ include "testkube-logs.containerSecurityContext" . | trim }}
+          securityContext: {{ include "testkube-logs.containerSecurityContext" . | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
@@ -182,8 +181,7 @@ spec:
               name: {{ .Values.tls.certSecret.name }}
               readOnly: true
           {{- end }}
-      securityContext:
-        {{ include "testkube-logs.podSecurityContext" . | trim }}
+      securityContext: {{ include "testkube-logs.podSecurityContext" . | nindent 8 }}
       {{- if .Values.tls.certSecret.enabled }}
       volumes:
         - name: {{ .Values.tls.certSecret.name }}

diff --git a/charts/testkube-operator/templates/_helpers.tpl b/charts/testkube-operator/templates/_helpers.tpl
@@ -166,7 +166,7 @@ Define containerSecurityContext for migrate container
 */}}
 {{- define "webhook.migrate.containerSecurityContext" -}}
 {{- if .Values.global.containerSecurityContext }}
-{{- toYaml .Values.global.containerSecurityContext}}
+{{- toYaml .Values.global.containerSecurityContext }}
 {{- else }}
 {{- toYaml .Values.webhook.migrate.securityContext }}
 {{- end }}
@@ -177,9 +177,9 @@ Define containerSecurityContext for create cert secret container
 */}}
 {{- define "webhook.create.containerSecurityContext" -}}
 {{- if .Values.global.containerSecurityContext }}
-{{- toYaml .Values.global.containerSecurityContext}}
+{{- toYaml .Values.global.containerSecurityContext }}
 {{- else }}
-{{- toYaml .Values.webhook.patch.createSecretJob.securityContext  }}
+{{- toYaml .Values.webhook.patch.createSecretJob.securityContext }}
 {{- end }}
 {{- end }}
 
@@ -188,7 +188,7 @@ Define containerSecurityContext for patch container
 */}}
 {{- define "webhook.patch.containerSecurityContext" -}}
 {{- if .Values.global.containerSecurityContext }}
-{{- toYaml .Values.global.containerSecurityContext}}
+{{- toYaml .Values.global.containerSecurityContext }}
 {{- else }}
 {{- toYaml .Values.webhook.patch.patchWebhookJob.securityContext  }}
 {{- end }}

diff --git a/charts/testkube-operator/templates/deployment.yaml b/charts/testkube-operator/templates/deployment.yaml
@@ -50,8 +50,7 @@ spec:
         ports:
         - containerPort: 9443
           name: https
-        securityContext:
-          {{ include "testkube-operator.containerSecurityContext" . | trim }}
+        securityContext: {{ include "testkube-operator.containerSecurityContext" . | nindent 10 }}
       - name: manager
         args:
         - --health-probe-bind-address=:{{ .Values.healthcheckPort }}
@@ -121,14 +120,12 @@ spec:
         {{- if .Values.resources }}
         resources: {{ toYaml .Values.resources | nindent 10 }}
         {{- end }}
-        securityContext:
-          {{ include "testkube-operator.containerSecurityContext" . | trim }}
+        securityContext: {{ include "testkube-operator.containerSecurityContext" . | nindent 10 }}
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: cert
           readOnly: true
-      securityContext:
-        {{ include "testkube-operator.podSecurityContext" . | trim }}
+      securityContext: {{ include "testkube-operator.podSecurityContext" . | nindent 8 }}
       serviceAccountName: {{ include "testkube-operator.serviceAccountName" . }}
       terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
       volumes:

diff --git a/charts/testkube-operator/templates/webhook-cert-create.yaml b/charts/testkube-operator/templates/webhook-cert-create.yaml
@@ -59,8 +59,7 @@ spec:
             - --namespace
             - {{ include "testkube-operator.namespace" . }}
             - --ignore-not-found
-          securityContext:
-            {{ include "webhook.migrate.containerSecurityContext" . | trim }}
+          securityContext: {{ include "webhook.migrate.containerSecurityContext" . | nindent 12 }}
           {{- if .Values.webhook.migrate.resources }}
           resources: {{ toYaml .Values.webhook.migrate.resources | nindent 12 }}
           {{- end }}
@@ -83,15 +82,13 @@ spec:
             - tls.crt
             - --ca-name
             - ca.crt
-          securityContext:
-            {{ include "webhook.create.containerSecurityContext" . | trim }}
+          securityContext: {{ include "webhook.create.containerSecurityContext" . | nindent 12 }}
           {{- if .Values.webhook.patch.createSecretJob.resources }}
           resources: {{ toYaml .Values.webhook.patch.createSecretJob.resources | nindent 12 }}
           {{- end }}
       restartPolicy: OnFailure
       serviceAccountName: {{ .Values.webhook.patch.serviceAccount.name }}
-      securityContext:
-        {{ include "webhook.podSecurityContext" . | trim }}
+      securityContext: {{ include "webhook.podSecurityContext" . | nindent 8 }}
       {{- if .Values.webhook.patch.affinity }}
       affinity:
       {{- toYaml .Values.webhook.patch.affinity | nindent 8 }}

diff --git a/charts/testkube-operator/templates/webhook-cert-patch.yaml b/charts/testkube-operator/templates/webhook-cert-patch.yaml
@@ -63,15 +63,13 @@ spec:
             - --patch-mutating=false
             - --crd-api-groups
             - tests.testkube.io,executor.testkube.io
-          securityContext:
-            {{ include "webhook.patch.containerSecurityContext" . | trim }}
+          securityContext: {{ include "webhook.patch.containerSecurityContext" . | nindent 12 }}
           {{- if .Values.webhook.patch.patchWebhookJob.resources }}
           resources: {{ toYaml .Values.webhook.patch.patchWebhookJob.resources | nindent 12 }}
           {{- end }}
       restartPolicy: Never
       serviceAccountName: {{ .Values.webhook.patch.serviceAccount.name }}
-      securityContext:
-        {{ include "webhook.podSecurityContext" . | trim }}
+      securityContext: {{ include "webhook.podSecurityContext" . | nindent 8 }}
       {{- if .Values.webhook.patch.affinity }}
       affinity:
       {{- toYaml .Values.webhook.patch.affinity | nindent 8 }}

diff --git a/charts/testkube/values.yaml b/charts/testkube/values.yaml
@@ -45,9 +45,13 @@ global:
     # -- Additional volume mounts to be added to the Testkube API container and Test Jobs containers
     additionalVolumeMounts: []
   # -- Security Context for all pods
-  podSecurityContext: {}
+  podSecurityContext:
+    seccompProfile:
+      type: RuntimeDefault
   # -- Security Context for all containers
-  containerSecurityContext: {}
+  containerSecurityContext:
+    capabilities:
+      add: [ "NET_ADMIN", "SYS_TIME" ]
   # -- Test Workflows configuration
   testWorkflows:
     # -- Create TestWorkflowTemplates to easily use the service account