TT-9741 Add containerSecurityContext (#95)

* Add containerSecurityContext

* Fix containerSecurityContext value for dashboard

---------

Co-authored-by: andrei-tyk <[email protected]>
Co-authored-by: Komal Sukhani <[email protected]>
Co-authored-by: Pranshu <[email protected]>

components/tyk-dashboard/templates/deployment-dashboard.yaml

@@ -59,9 +59,10 @@ spec:
       - image: "{{ .Values.dashboard.image.repository }}:{{ .Values.dashboard.image.tag }}"
         imagePullPolicy: {{ .Values.dashboard.image.pullPolicy }}
         name: dashboard-{{ .Chart.Name }}
+        {{- if .Values.dashboard.containerSecurityContext }}
         securityContext:
-          runAsUser: 999
-          runAsGroup: 999
+        {{- toYaml .Values.dashboard.containerSecurityContext | nindent 12 }}
+        {{- end }}
         env:
           ## DEFAULT TYK DASHBOARD CONFIGURATION
           - name: "TYK_DB_ENABLEOWNERSHIP"

components/tyk-dashboard/values.yaml

@@ -187,6 +187,14 @@ dashboard:
   securityContext:
     runAsUser: 1000
     fsGroup: 2000
+  containerSecurityContext:
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    privileged: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+      - all
   nodeSelector: {}
   tolerations: []
   affinity: {}

components/tyk-enterprise-portal/templates/statefulset-enterprise-portal.yaml

@@ -49,14 +49,10 @@ spec:
       - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         name: enterprise-portal-{{ .Chart.Name }}
+        {{- if .Values.containerSecurityContext }}
         securityContext:
-          runAsNonRoot: true
-          allowPrivilegeEscalation: false
-          privileged: false
-          readOnlyRootFilesystem: true
-          capabilities:
-            drop:
-              - all
+        {{- toYaml .Values.containerSecurityContext | nindent 10 }}
+        {{- end}}
         env:
           - name: PORTAL_LICENSEKEY
             valueFrom:

components/tyk-enterprise-portal/values.yaml

@@ -99,6 +99,14 @@ resources: {}
 securityContext:
   runAsUser: 1000
   fsGroup: 2000
+containerSecurityContext:
+  runAsNonRoot: true
+  allowPrivilegeEscalation: false
+  privileged: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - all
 nodeSelector: {}
 tolerations: []
 affinity: {}

components/tyk-gateway/templates/deployment-gw-repset.yaml

@@ -68,14 +68,10 @@ spec:
       - name: gateway-{{ .Chart.Name }}
         image: "{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag }}"
         imagePullPolicy: {{ .Values.gateway.image.pullPolicy }}
+        {{- if .Values.gateway.containerSecurityContext }}
         securityContext:
-          runAsNonRoot: true
-          allowPrivilegeEscalation: false
-          privileged: false
-          readOnlyRootFilesystem: true
-          capabilities:
-            drop:
-              - all
+        {{- toYaml .Values.gateway.containerSecurityContext | nindent 12 }}
+        {{- end }}
         env:
           - name: TYK_GW_LISTENPORT
             value: "{{ .Values.global.servicePorts.gateway }}"

components/tyk-gateway/values.yaml

@@ -221,6 +221,16 @@ gateway:
     runAsUser: 1000
     fsGroup: 2000
 
+  # containerSecurityContext values for gateway container
+  containerSecurityContext:
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    privileged: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - all
+
   # node labels for gateway pod assignment
   nodeSelector: {}
 

components/tyk-pump/templates/deployment-pmp.yaml

@@ -45,14 +45,10 @@ spec:
         ports:
           - name: tyk-pump-port
             containerPort: {{ .Values.pump.containerPort }}
+        {{- if .Values.pump.containerSecurityContext }}
         securityContext:
-          runAsNonRoot: true
-          allowPrivilegeEscalation: false
-          privileged: false
-          readOnlyRootFilesystem: true
-          capabilities:
-            drop:
-              - all
+        {{- toYaml .Values.pump.containerSecurityContext | nindent 12 }}
+        {{- end }}
         env:
           # Legacy support for Redis Cluster driver. Driver dropped in v3.0.0.
           - name: REDIGOCLUSTER_SHARDCOUNT

components/tyk-pump/values.yaml

@@ -233,6 +233,16 @@ pump:
     runAsUser: 1000
     fsGroup: 2000
 
+  # containerSecurityContext values for pump container
+  containerSecurityContext:
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    privileged: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - all
+
   # node labels for pump pod assignment
   nodeSelector: {}
 

tyk-mdcb-data-plane/values.yaml

@@ -226,6 +226,16 @@ tyk-gateway:
       runAsUser: 1000
       fsGroup: 2000
 
+    # containerSecurityContext values for gateway container
+    containerSecurityContext:
+      runAsNonRoot: true
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - all
+
     # node labels for gateway pod assignment
     nodeSelector: {}
 
@@ -409,6 +419,16 @@ tyk-pump:
       runAsUser: 1000
       fsGroup: 2000
 
+    # containerSecurityContext values for pump container
+    containerSecurityContext:
+      runAsNonRoot: true
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - all
+
     # node labels for pump pod assignment
     nodeSelector: {}
 

tyk-oss/values.yaml

@@ -209,6 +209,16 @@ tyk-gateway:
       runAsUser: 1000
       fsGroup: 2000
 
+    # containerSecurityContext values for gateway container
+    containerSecurityContext:
+      runAsNonRoot: true
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - all
+
     # node labels for gateway pod assignment
     nodeSelector: {}
 
@@ -372,6 +382,16 @@ tyk-pump:
       runAsUser: 1000
       fsGroup: 2000
 
+    # containerSecurityContext values for pump container
+    containerSecurityContext:
+      runAsNonRoot: true
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - all
+
     # node labels for pump pod assignment
     nodeSelector: {}
 

tyk-single-dc/values.yaml

@@ -277,6 +277,16 @@ tyk-gateway:
       runAsUser: 1000
       fsGroup: 2000
 
+    # containerSecurityContext values for gateway container
+    containerSecurityContext:
+      runAsNonRoot: true
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - all
+
     # node labels for gateway pod assignment
     nodeSelector: {}
 
@@ -443,6 +453,16 @@ tyk-pump:
       runAsUser: 1000
       fsGroup: 2000
 
+    # containerSecurityContext values for pump container
+    containerSecurityContext:
+      runAsNonRoot: true
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - all
+
     # node labels for pump pod assignment
     nodeSelector: {}
 
@@ -594,6 +614,14 @@ tyk-dashboard:
     securityContext:
       runAsUser: 1000
       fsGroup: 2000
+    containerSecurityContext:
+      runAsNonRoot: true
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+        - all
     nodeSelector: {}
     tolerations: []
     affinity: {}
@@ -709,6 +737,14 @@ tyk-enterprise-portal:
   securityContext:
     runAsUser: 1000
     fsGroup: 2000
+  containerSecurityContext:
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    privileged: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - all
   nodeSelector: {}
   tolerations: []
   affinity: {}