Review securitycontext in Makefile/CI (#167)

mathieu-benoit · web-flow · commit 0ee23db42236 · 2025-01-14T22:45:04.000-05:00
* Review securitycontext for score-compose

* securitycontext with score-k8s

* automountServiceAccountToken=false

* Fix Syntax error: Unterminated quoted string

* score-* deployment success in PR comment

* Fix comment
diff --git a/.github/workflows/open-pr.yml b/.github/workflows/open-pr.yml
@@ -41,14 +41,6 @@ jobs:
       - name: make compose.yaml
         run: |
           make compose.yaml
-          cat <<EOF > compose.override.yaml
-          services:
-            ${{ env.WORKLOAD_NAME }}-${{ env.CONTAINER_NAME }}:
-              read_only: true
-              cap_drop:
-                - ALL
-              user: "1000"
-          EOF
       - name: make compose-test
         run: |
           make compose-test
@@ -192,12 +184,22 @@ jobs:
               --token ${{ secrets.HUMANITEC_TOKEN }} \
               | grep '"status": "Failure"' -B 10 -A 1) \
               || true
+          
+          echo "#### :white_check_mark: Successfully deployed with score-compose" >> pr_message.txt
+          echo "" >> pr_message.txt
+          echo "#### :white_check_mark: Successfully deployed with score-k8s" >> pr_message.txt
+          echo "" >> pr_message.txt
+          
           if [[ "$DEPLOYMENT_ERRORS" = "[]" && -z "$RUNTIME_ERRORS" ]]; then
             echo "## Deployment successfully completed for ${{ env.ENVIRONMENT_NAME }}! :tada:" >> pr_message.txt
             echo "" >> pr_message.txt
+            echo "#### :white_check_mark: Successfully deployed with humctl" >> pr_message.txt
+            echo "" >> pr_message.txt
           else
             echo "## Deployment failed for ${{ env.ENVIRONMENT_NAME }}! :x:" >> pr_message.txt
             echo "" >> pr_message.txt
+            echo "#### :x: Deployment failed with `humctl`" >> pr_message.txt
+            echo "" >> pr_message.txt
             
             if [ "$DEPLOYMENT_ERRORS" != "[]" ]; then
               echo "### Deployment errors:" >> pr_message.txt
diff --git a/Makefile b/Makefile
@@ -23,6 +23,7 @@ compose.yaml: score/score.yaml .score-compose/state.yaml Makefile
 	score-compose generate score/score.yaml \
 		--build '${CONTAINER_NAME}={"context":"app/","tags":["${CONTAINER_IMAGE}"]}' \
 		--override-property containers.${CONTAINER_NAME}.variables.MESSAGE="Hello, Compose!"
+	echo '{"services":{"${WORKLOAD_NAME}-${CONTAINER_NAME}":{"read_only":"true","user":"65532","cap_drop":["ALL"]}}}' | yq e -P > compose.override.yaml
 
 ## Generate a compose.yaml file from the score spec and launch it.
 .PHONY: compose-up
@@ -47,7 +48,10 @@ compose-down:
 manifests.yaml: score/score.yaml .score-k8s/state.yaml Makefile
 	score-k8s generate score/score.yaml \
 		--image ${CONTAINER_IMAGE} \
-		--override-property containers.${CONTAINER_NAME}.variables.MESSAGE="Hello, Kubernetes!"
+		--override-property containers.${CONTAINER_NAME}.variables.MESSAGE="Hello, Kubernetes!" \
+		--patch-manifests 'Deployment/*/spec.template.spec.automountServiceAccountToken=false' \
+		--patch-manifests 'Deployment/*/spec.template.spec.securityContext={"fsGroup":65532,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}'
+	echo '{"spec":{"template":{"spec":{"containers":[{"name":"${CONTAINER_NAME}","securityContext":{"allowPrivilegeEscalation":false,"privileged": false,"readOnlyRootFilesystem": true,"capabilities":{"drop":["ALL"]}}}]}}}}' > deployment-patch.yaml
 
 ## Create a local Kind cluster.
 .PHONY: kind-create-cluster
@@ -66,6 +70,10 @@ k8s-up: manifests.yaml
 	kubectl apply \
 		-f manifests.yaml \
 		-n ${NAMESPACE}
+	kubectl patch \
+		deployment ${WORKLOAD_NAME} \
+		--patch-file deployment-patch.yaml \
+		-n ${NAMESPACE}
 	kubectl wait deployments/${WORKLOAD_NAME} \
 		-n ${NAMESPACE} \
 		--for condition=Available \
