From 7f98dec248c3d00418494769ae81621a204dfd46 Mon Sep 17 00:00:00 2001 From: Tommy Skaug Date: Thu, 14 Nov 2024 22:16:13 +0100 Subject: [PATCH 1/2] chore(attic): general security audit improvements for helm config --- charts/attic/Chart.yaml | 2 +- charts/attic/templates/db-init.yaml | 45 +++++++++++++++++++ charts/attic/templates/deployment-server.yaml | 34 +++++++++++++- charts/attic/templates/service-server.yaml | 9 ++-- charts/attic/templates/serviceaccount.yaml | 9 +++- .../attic/templates/test/test-connection.yaml | 44 +++++++++++++++++- charts/attic/tests/values.yaml | 31 ------------- 7 files changed, 135 insertions(+), 39 deletions(-) delete mode 100644 charts/attic/tests/values.yaml diff --git a/charts/attic/Chart.yaml b/charts/attic/Chart.yaml index aae3bba..e95142b 100644 --- a/charts/attic/Chart.yaml +++ b/charts/attic/Chart.yaml @@ -4,7 +4,7 @@ description: A Nix binary caching server # renovate: image=ghcr.io/zhaofengli/attic appVersion: 4dbdbee45728d8ce5788db6461aaaa89d98081f0 type: application -version: 0.2.6 +version: 0.2.7 maintainers: - name: Tommy Skaug email: tommy@skaug.me diff --git a/charts/attic/templates/db-init.yaml b/charts/attic/templates/db-init.yaml index 80c8d88..2eb6f6e 100644 --- a/charts/attic/templates/db-init.yaml +++ b/charts/attic/templates/db-init.yaml @@ -4,17 +4,62 @@ metadata: name: {{ include "attic.fullname" . }}-db-init labels: {{- include "attic.labels" . | nindent 4 }} + app.kubernetes.io/instance: "{{ include "attic.fullname" . }}" annotations: "helm.sh/hook": pre-install "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: template: + metadata: + labels: + app.kubernetes.io/instance: "{{ include "attic.fullname" . }}" spec: + priorityClassName: {{ .Values.priorityClassName | default "default" }} + automountServiceAccountToken: false + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/instance: "{{ include "attic.fullname" . }}" restartPolicy: Never containers: - name: general-db-init image: "{{ .Values.initContainers.dbInit.image.repository }}:{{ .Values.initContainers.dbInit.image.tag }}" + imagePullPolicy: IfNotPresent envFrom: - secretRef: name: {{ .Values.postgres.secretName }} + resources: + limits: + cpu: "500m" + memory: "512Mi" + requests: + cpu: "250m" + memory: "256Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault + livenessProbe: + exec: + command: + - sh + - -c + - "pg_isready -U $POSTGRES_USER" + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + exec: + command: + - sh + - -c + - "pg_isready -U $POSTGRES_USER" + initialDelaySeconds: 5 + periodSeconds: 10 backoffLimit: 3 diff --git a/charts/attic/templates/deployment-server.yaml b/charts/attic/templates/deployment-server.yaml index eb03362..fdffbe4 100644 --- a/charts/attic/templates/deployment-server.yaml +++ b/charts/attic/templates/deployment-server.yaml @@ -4,6 +4,7 @@ metadata: name: {{ include "attic.fullname" . }} labels: {{- include "attic.labels" . | nindent 4 }} + app.kubernetes.io/instance: "{{ include "attic.fullname" . }}" spec: replicas: 1 selector: @@ -13,11 +14,22 @@ spec: metadata: labels: app: {{ include "attic.fullname" . }} + app.kubernetes.io/instance: "{{ include "attic.fullname" . }}" spec: + priorityClassName: {{ .Values.priorityClassName | default "default" }} + automountServiceAccountToken: false + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/instance: "{{ include "attic.fullname" . }}" serviceAccountName: {{ include "attic.fullname" . }} containers: - name: {{ include "attic.fullname" . }} image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: IfNotPresent command: ["atticd"] args: ["-f", "/var/lib/atticd/config.toml"] envFrom: @@ -36,10 +48,30 @@ spec: mountPath: "/var/lib/atticd/config.toml" subPath: config.toml readOnly: true + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault + livenessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 5 + periodSeconds: 10 volumes: - name: {{ include "attic.fullname" . }} persistentVolumeClaim: claimName: {{ .Values.persistence.existingClaim }} - name: config configMap: - name: {{ include "attic.fullname" . }} \ No newline at end of file + name: {{ include "attic.fullname" . }} diff --git a/charts/attic/templates/service-server.yaml b/charts/attic/templates/service-server.yaml index 296ae51..908ecda 100644 --- a/charts/attic/templates/service-server.yaml +++ b/charts/attic/templates/service-server.yaml @@ -1,13 +1,16 @@ ---- apiVersion: v1 kind: Service metadata: name: {{ include "attic.fullname" . }} labels: {{- include "attic.labels" . | nindent 4 }} + app.kubernetes.io/instance: "{{ include "attic.fullname" . }}" spec: + type: ClusterIP selector: app: {{ include "attic.fullname" . }} ports: - - port: 8080 - targetPort: 8080 \ No newline at end of file + - port: 8080 + targetPort: 8080 + protocol: TCP + name: http diff --git a/charts/attic/templates/serviceaccount.yaml b/charts/attic/templates/serviceaccount.yaml index 72890da..cc4b274 100644 --- a/charts/attic/templates/serviceaccount.yaml +++ b/charts/attic/templates/serviceaccount.yaml @@ -1,7 +1,12 @@ ---- apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "attic.fullname" . }} labels: - {{- include "attic.labels" . | nindent 4 }} \ No newline at end of file + {{- include "attic.labels" . | nindent 4 }} + app.kubernetes.io/instance: "{{ include "attic.fullname" . }}" + annotations: + {{- if .Values.serviceAccountAnnotations }} + {{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} + {{- end }} +automountServiceAccountToken: false diff --git a/charts/attic/templates/test/test-connection.yaml b/charts/attic/templates/test/test-connection.yaml index cea60c1..081f61b 100644 --- a/charts/attic/templates/test/test-connection.yaml +++ b/charts/attic/templates/test/test-connection.yaml @@ -4,12 +4,54 @@ metadata: name: "{{ include "attic.fullname" . }}-test-connection" labels: {{- include "attic.labels" . | nindent 4 }} + app.kubernetes.io/instance: "{{ include "attic.fullname" . }}" annotations: "helm.sh/hook": test spec: + priorityClassName: {{ .Values.priorityClassName | default "default" }} + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/instance: "{{ include "attic.fullname" . }}" + automountServiceAccountToken: false containers: - name: wget - image: busybox + image: busybox:stable + imagePullPolicy: Always command: ['wget'] args: ['{{ include "attic.fullname" . }}:8080'] + resources: + limits: + cpu: "500m" + memory: "256Mi" + requests: + cpu: "250m" + memory: "128Mi" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault + livenessProbe: + exec: + command: + - sh + - -c + - "wget -q --spider http://localhost:8080 || exit 1" + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + exec: + command: + - sh + - -c + - "wget -q --spider http://localhost:8080 || exit 1" + initialDelaySeconds: 5 + periodSeconds: 10 restartPolicy: Never diff --git a/charts/attic/tests/values.yaml b/charts/attic/tests/values.yaml deleted file mode 100644 index 224a0c7..0000000 --- a/charts/attic/tests/values.yaml +++ /dev/null @@ -1,31 +0,0 @@ -config: - externalUrl: https://cache.example.com/ - -persistence: - existingClaim: attic - -initContainers: - dbInit: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: "16" - envFrom: - - secretRef: - name: attic-secret - -envFromSecret: attic-secret - -image: - repository: ghcr.io/zhaofengli/attic - tag: 4dbdbee45728d8ce5788db6461aaaa89d98081f0 - -postgres: - secretName: attic-secret - -resources: - limits: - memory: "3Gi" - cpu: "1000m" -# requests: -# cpu: 100m -# memory: 250Mi From 3218db38db7368999fe92a36a0aaeb558ee1d3b9 Mon Sep 17 00:00:00 2001 From: Tommy Skaug Date: Thu, 14 Nov 2024 22:18:57 +0100 Subject: [PATCH 2/2] chore(attic): use of redundant instance label caused warning --- charts/attic/templates/db-init.yaml | 1 - charts/attic/templates/deployment-server.yaml | 1 - charts/attic/templates/service-server.yaml | 1 - charts/attic/templates/serviceaccount.yaml | 1 - charts/attic/templates/test/test-connection.yaml | 1 - 5 files changed, 5 deletions(-) diff --git a/charts/attic/templates/db-init.yaml b/charts/attic/templates/db-init.yaml index 2eb6f6e..316f6ca 100644 --- a/charts/attic/templates/db-init.yaml +++ b/charts/attic/templates/db-init.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "attic.fullname" . }}-db-init labels: {{- include "attic.labels" . | nindent 4 }} - app.kubernetes.io/instance: "{{ include "attic.fullname" . }}" annotations: "helm.sh/hook": pre-install "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded diff --git a/charts/attic/templates/deployment-server.yaml b/charts/attic/templates/deployment-server.yaml index fdffbe4..175d27a 100644 --- a/charts/attic/templates/deployment-server.yaml +++ b/charts/attic/templates/deployment-server.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "attic.fullname" . }} labels: {{- include "attic.labels" . | nindent 4 }} - app.kubernetes.io/instance: "{{ include "attic.fullname" . }}" spec: replicas: 1 selector: diff --git a/charts/attic/templates/service-server.yaml b/charts/attic/templates/service-server.yaml index 908ecda..887aa2d 100644 --- a/charts/attic/templates/service-server.yaml +++ b/charts/attic/templates/service-server.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "attic.fullname" . }} labels: {{- include "attic.labels" . | nindent 4 }} - app.kubernetes.io/instance: "{{ include "attic.fullname" . }}" spec: type: ClusterIP selector: diff --git a/charts/attic/templates/serviceaccount.yaml b/charts/attic/templates/serviceaccount.yaml index cc4b274..76d2971 100644 --- a/charts/attic/templates/serviceaccount.yaml +++ b/charts/attic/templates/serviceaccount.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "attic.fullname" . }} labels: {{- include "attic.labels" . | nindent 4 }} - app.kubernetes.io/instance: "{{ include "attic.fullname" . }}" annotations: {{- if .Values.serviceAccountAnnotations }} {{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} diff --git a/charts/attic/templates/test/test-connection.yaml b/charts/attic/templates/test/test-connection.yaml index 081f61b..c5da2fe 100644 --- a/charts/attic/templates/test/test-connection.yaml +++ b/charts/attic/templates/test/test-connection.yaml @@ -4,7 +4,6 @@ metadata: name: "{{ include "attic.fullname" . }}-test-connection" labels: {{- include "attic.labels" . | nindent 4 }} - app.kubernetes.io/instance: "{{ include "attic.fullname" . }}" annotations: "helm.sh/hook": test spec: