Update security context (#134)

* Update security context

* updated chart.yaml for all 4 charts

* updated libchart

* corrected chart version and added default resources

* corrected chart version and added default resources

Author: dhaugli

dotnet/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
 description: .NET Core Helm Chart
 name: dotnet
-version: 9.2.0
+version: 10.0.0
 dependencies:
   - name: libchart
-    version: 0.3.0
+    version: 1.0.0
     repository: file://../libchart

dotnet/values.yaml

@@ -29,14 +29,17 @@ serviceAccount:
 podAnnotations: {}
 podLabels: {}
 
-securityContext:
+podSecurityContext:
   runAsNonRoot: true
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsUser: 1000
-  # fsGroup: 2000
+  runAsUser: 65534
+  fsGroup: 65534
+
+securityContext:
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
 
 environment: {}
 secrets: {}
@@ -62,17 +65,17 @@ csi: {}
 #      objectType: key
 #      objectVersion: ""
 
-resources: {}
+resources:
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
   # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #  cpu: 100m
-  #  memory: 128Mi
-  # requests:
-  #  cpu: 100m
-  #  memory: 128Mi
+  limits:
+    cpu: 200m
+    memory: 512Mi
+  requests:
+    cpu: 200m
+    memory: 512Mi
 
 nodeSelector: {}
 

golang/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
 description: golan Helm Chart
 name: golang
-version: 13.2.0
+version: 14.0.0
 dependencies:
   - name: libchart
-    version: 0.3.0
+    version: 1.0.0
     repository: file://../libchart

golang/values.yaml

@@ -29,14 +29,17 @@ serviceAccount:
 podAnnotations: {}
 podLabels: {}
 
-securityContext:
+podSecurityContext:
   runAsNonRoot: true
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsUser: 1000
-  # fsGroup: 2000
+  runAsUser: 65534
+  fsGroup: 65534
+
+securityContext:
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
 
 environment: {}
 secrets: {}
@@ -62,17 +65,17 @@ csi: {}
 #      objectType: key
 #      objectVersion: ""
 
-resources: {}
+resources:
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
   # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #  cpu: 100m
-  #  memory: 128Mi
-  # requests:
-  #  cpu: 100m
-  #  memory: 128Mi
+  limits:
+    cpu: 100m
+    memory: 256Mi
+  requests:
+    cpu: 100m
+    memory: 256Mi
 
 nodeSelector: {}
 

java/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
 description: Java Helm Chart
 name: java
-version: 6.2.0
+version: 7.0.0
 dependencies:
   - name: libchart
-    version: 0.3.0
+    version: 1.0.0
     repository: file://../libchart

java/values.yaml

@@ -29,14 +29,17 @@ serviceAccount:
 podAnnotations: {}
 podLabels: {}
 
-securityContext:
+podSecurityContext:
   runAsNonRoot: true
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsUser: 1000
-  # fsGroup: 2000
+  runAsUser: 65534
+  fsGroup: 65534
+
+securityContext:
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
 
 environment: {}
 secrets: {}
@@ -62,17 +65,17 @@ csi: {}
 #      objectType: key
 #      objectVersion: ""
 
-resources: {}
+resources:
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
   # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #  cpu: 100m
-  #  memory: 128Mi
-  # requests:
-  #  cpu: 100m
-  #  memory: 128Mi
+  limits:
+    cpu: 200m
+    memory: 512Mi
+  requests:
+    cpu: 200m
+    memory: 512Mi
 
 nodeSelector: {}
 

libchart/Chart.yaml

@@ -15,7 +15,7 @@ type: library
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 1.0.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

libchart/templates/_pod.tpl

@@ -7,7 +7,7 @@ imagePullSecrets:
 {{- end }}
 serviceAccountName: {{ include "libchart.serviceAccountName" . }}
 securityContext:
-  {{- toYaml .Values.securityContext | nindent 2 }}
+  {{- toYaml .Values.podSecurityContext | nindent 2 }}
 containers:
   - name: {{ .Chart.Name }}
     image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -65,7 +65,8 @@ containers:
       {{- end }}
     resources:
       {{ toYaml .Values.resources | nindent 6 }}
-
+    securityContext:
+      {{- toYaml .Values.securityContext | nindent 6 }}
 {{- with .Values.nodeSelector }}
 nodeSelector:
   {{ toYaml . | nindent 4 }}

libchart/values.yaml

@@ -30,14 +30,17 @@ serviceAccount:
 podAnnotations: {}
 podLabels: {}
 
-securityContext:
+podSecurityContext:
   runAsNonRoot: true
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsUser: 1000
-  # fsGroup: 2000
+  runAsUser: 65534
+  fsGroup: 65534
+
+securityContext:
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
 
 environment: {}
 secrets: {}

nodejs/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
 description: Node.js Helm Chart
 name: nodejs
-version: 13.2.0
+version: 14.0.0
 dependencies:
   - name: libchart
-    version: 0.3.0
+    version: 1.0.0
     repository: file://../libchart

nodejs/values.yaml

@@ -29,14 +29,17 @@ serviceAccount:
 podAnnotations: {}
 podLabels: {}
 
-securityContext:
+podSecurityContext:
   runAsNonRoot: true
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsUser: 1000
-  # fsGroup: 2000
+  runAsUser: 65534
+  fsGroup: 65534
+
+securityContext:
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
 
 environment: {}
 secrets: {}
@@ -62,17 +65,17 @@ csi: {}
 #      objectType: key
 #      objectVersion: ""
 
-resources: {}
+resources:
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
   # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #  cpu: 100m
-  #  memory: 128Mi
-  # requests:
-  #  cpu: 100m
-  #  memory: 128Mi
+  limits:
+    cpu: 200m
+    memory: 512Mi
+  requests:
+    cpu: 200m
+    memory: 512Mi
 
 nodeSelector: {}
 

web/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 appVersion: "1.0"
 description: Helm chart for deployment of web servers
 name: web
-version: 10.3.0
+version: 11.0.0
 dependencies:
   - name: libchart
-    version: 0.3.0
+    version: 1.0.0
     repository: file://../libchart

web/values.yaml

@@ -29,14 +29,17 @@ serviceAccount:
 podAnnotations: {}
 podLabels: {}
 
-securityContext:
+podSecurityContext:
   runAsNonRoot: true
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsUser: 1000
-  # fsGroup: 2000
+  runAsUser: 65534
+  fsGroup: 65534
+
+securityContext:
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
 
 environment: {}
 secrets: {}
@@ -62,17 +65,17 @@ csi: {}
 #      objectType: key
 #      objectVersion: ""
 
-resources: {}
+resources:
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
   # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #  cpu: 100m
-  #  memory: 128Mi
-  # requests:
-  #  cpu: 100m
-  #  memory: 128Mi
+  limits:
+    cpu: 100m
+    memory: 256Mi
+  requests:
+    cpu: 100m
+    memory: 256Mi
 
 nodeSelector: {}