From 7b89c1ee54d5fba4486594750a1dc5fc05b03ca7 Mon Sep 17 00:00:00 2001 From: Zaid Albirawi Date: Thu, 10 Aug 2023 11:32:18 -0400 Subject: [PATCH 1/2] Add containerSecurityContext --- .../templates/deployment-dashboard.yaml | 5 +-- components/tyk-dashboard/values.yaml | 3 ++ .../statefulset-enterprise-portal.yaml | 10 ++---- components/tyk-enterprise-portal/values.yaml | 8 +++++ .../templates/deployment-gw-repset.yaml | 10 ++---- components/tyk-gateway/values.yaml | 10 ++++++ .../tyk-pump/templates/deployment-pmp.yaml | 10 ++---- components/tyk-pump/values.yaml | 10 ++++++ tyk-mdcb-data-plane/values.yaml | 20 ++++++++++++ tyk-oss/values.yaml | 20 ++++++++++++ tyk-single-dc/values.yaml | 31 +++++++++++++++++++ 11 files changed, 114 insertions(+), 23 deletions(-) diff --git a/components/tyk-dashboard/templates/deployment-dashboard.yaml b/components/tyk-dashboard/templates/deployment-dashboard.yaml index 9770d3bb..3c2c704b 100644 --- a/components/tyk-dashboard/templates/deployment-dashboard.yaml +++ b/components/tyk-dashboard/templates/deployment-dashboard.yaml @@ -56,9 +56,10 @@ spec: - image: "{{ .Values.dashboard.image.repository }}:{{ .Values.dashboard.image.tag }}" imagePullPolicy: {{ .Values.dashboard.image.pullPolicy }} name: dashboard-{{ .Chart.Name }} + {{- if .Values.dashboard.containerSecurityContext }} securityContext: - runAsUser: 999 - runAsGroup: 999 + {{- toYaml .Values.dashboard.containerSecurityContext | nindent 12 }} + {{- end }} env: ## DEFAULT TYK DASHBOARD CONFIGURATION - name: "TYK_DB_ENABLEOWNERSHIP" diff --git a/components/tyk-dashboard/values.yaml b/components/tyk-dashboard/values.yaml index 41be6819..88242dc9 100644 --- a/components/tyk-dashboard/values.yaml +++ b/components/tyk-dashboard/values.yaml @@ -183,6 +183,9 @@ dashboard: securityContext: runAsUser: 1000 fsGroup: 2000 + containerSecurityContext: + runAsUser: 999 + runAsGroup: 999 nodeSelector: {} tolerations: [] affinity: {} diff --git a/components/tyk-enterprise-portal/templates/statefulset-enterprise-portal.yaml b/components/tyk-enterprise-portal/templates/statefulset-enterprise-portal.yaml index 071e4fda..7a151059 100644 --- a/components/tyk-enterprise-portal/templates/statefulset-enterprise-portal.yaml +++ b/components/tyk-enterprise-portal/templates/statefulset-enterprise-portal.yaml @@ -39,14 +39,10 @@ spec: - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} name: enterprise-portal-{{ .Chart.Name }} + {{- if .Values.containerSecurityContext }} securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - capabilities: - drop: - - all + {{- toYaml .Values.containerSecurityContext | nindent 10 }} + {{- end}} env: - name: PORTAL_LICENSEKEY valueFrom: diff --git a/components/tyk-enterprise-portal/values.yaml b/components/tyk-enterprise-portal/values.yaml index c869fe43..d6f67265 100644 --- a/components/tyk-enterprise-portal/values.yaml +++ b/components/tyk-enterprise-portal/values.yaml @@ -90,6 +90,14 @@ resources: {} securityContext: runAsUser: 1000 fsGroup: 2000 +containerSecurityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all nodeSelector: {} tolerations: [] affinity: {} diff --git a/components/tyk-gateway/templates/deployment-gw-repset.yaml b/components/tyk-gateway/templates/deployment-gw-repset.yaml index b511ce9e..fe7c9e7c 100644 --- a/components/tyk-gateway/templates/deployment-gw-repset.yaml +++ b/components/tyk-gateway/templates/deployment-gw-repset.yaml @@ -65,14 +65,10 @@ spec: - name: gateway-{{ .Chart.Name }} image: "{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag }}" imagePullPolicy: {{ .Values.gateway.image.pullPolicy }} + {{- if .Values.gateway.containerSecurityContext }} securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - capabilities: - drop: - - all + {{- toYaml .Values.gateway.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: TYK_GW_LISTENPORT value: "{{ .Values.global.servicePorts.gateway }}" diff --git a/components/tyk-gateway/values.yaml b/components/tyk-gateway/values.yaml index 27fd80c8..7afbd17f 100644 --- a/components/tyk-gateway/values.yaml +++ b/components/tyk-gateway/values.yaml @@ -218,6 +218,16 @@ gateway: runAsUser: 1000 fsGroup: 2000 + # containerSecurityContext values for gateway container + containerSecurityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all + # node labels for gateway pod assignment nodeSelector: {} diff --git a/components/tyk-pump/templates/deployment-pmp.yaml b/components/tyk-pump/templates/deployment-pmp.yaml index 83c7ffe5..2c87e2fb 100644 --- a/components/tyk-pump/templates/deployment-pmp.yaml +++ b/components/tyk-pump/templates/deployment-pmp.yaml @@ -42,14 +42,10 @@ spec: ports: - name: tyk-pump-port containerPort: {{ .Values.pump.containerPort }} + {{- if .Values.pump.containerSecurityContext }} securityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - capabilities: - drop: - - all + {{- toYaml .Values.pump.containerSecurityContext | nindent 12 }} + {{- end }} env: # Legacy support for Redis Cluster driver. Driver dropped in v3.0.0. - name: REDIGOCLUSTER_SHARDCOUNT diff --git a/components/tyk-pump/values.yaml b/components/tyk-pump/values.yaml index 86b51686..04b37ab1 100644 --- a/components/tyk-pump/values.yaml +++ b/components/tyk-pump/values.yaml @@ -230,6 +230,16 @@ pump: runAsUser: 1000 fsGroup: 2000 + # containerSecurityContext values for pump container + containerSecurityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all + # node labels for pump pod assignment nodeSelector: {} diff --git a/tyk-mdcb-data-plane/values.yaml b/tyk-mdcb-data-plane/values.yaml index 41ccfa05..3d048d78 100644 --- a/tyk-mdcb-data-plane/values.yaml +++ b/tyk-mdcb-data-plane/values.yaml @@ -223,6 +223,16 @@ tyk-gateway: runAsUser: 1000 fsGroup: 2000 + # containerSecurityContext values for gateway container + containerSecurityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all + # node labels for gateway pod assignment nodeSelector: {} @@ -400,6 +410,16 @@ tyk-pump: runAsUser: 1000 fsGroup: 2000 + # containerSecurityContext values for pump container + containerSecurityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all + # node labels for pump pod assignment nodeSelector: {} diff --git a/tyk-oss/values.yaml b/tyk-oss/values.yaml index 0d5f3132..e801ab3a 100644 --- a/tyk-oss/values.yaml +++ b/tyk-oss/values.yaml @@ -206,6 +206,16 @@ tyk-gateway: runAsUser: 1000 fsGroup: 2000 + # containerSecurityContext values for gateway container + containerSecurityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all + # node labels for gateway pod assignment nodeSelector: {} @@ -363,6 +373,16 @@ tyk-pump: runAsUser: 1000 fsGroup: 2000 + # containerSecurityContext values for pump container + containerSecurityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all + # node labels for pump pod assignment nodeSelector: {} diff --git a/tyk-single-dc/values.yaml b/tyk-single-dc/values.yaml index f548cc45..303d88f3 100644 --- a/tyk-single-dc/values.yaml +++ b/tyk-single-dc/values.yaml @@ -250,6 +250,16 @@ tyk-gateway: runAsUser: 1000 fsGroup: 2000 + # containerSecurityContext values for gateway container + containerSecurityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all + # node labels for gateway pod assignment nodeSelector: {} @@ -412,6 +422,16 @@ tyk-pump: runAsUser: 1000 fsGroup: 2000 + # containerSecurityContext values for pump container + containerSecurityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all + # node labels for pump pod assignment nodeSelector: {} @@ -559,6 +579,9 @@ tyk-dashboard: securityContext: runAsUser: 1000 fsGroup: 2000 + containerSecurityContext: + runAsUser: 999 + runAsGroup: 999 nodeSelector: {} tolerations: [] affinity: {} @@ -663,6 +686,14 @@ tyk-enterprise-portal: securityContext: runAsUser: 1000 fsGroup: 2000 + containerSecurityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all nodeSelector: {} tolerations: [] affinity: {} From 9446f9c82a92252682dd9e16c139e7cc2855c01c Mon Sep 17 00:00:00 2001 From: Komal Sukhani Date: Mon, 4 Sep 2023 12:30:42 +0530 Subject: [PATCH 2/2] Fix containerSecurityContext value for dashboard --- components/tyk-dashboard/values.yaml | 9 +++++++-- tyk-single-dc/values.yaml | 9 +++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/components/tyk-dashboard/values.yaml b/components/tyk-dashboard/values.yaml index 301c4f10..f605d761 100644 --- a/components/tyk-dashboard/values.yaml +++ b/components/tyk-dashboard/values.yaml @@ -184,8 +184,13 @@ dashboard: runAsUser: 1000 fsGroup: 2000 containerSecurityContext: - runAsUser: 999 - runAsGroup: 999 + runAsNonRoot: true + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all nodeSelector: {} tolerations: [] affinity: {} diff --git a/tyk-single-dc/values.yaml b/tyk-single-dc/values.yaml index 3ee09c72..eeb8df5f 100644 --- a/tyk-single-dc/values.yaml +++ b/tyk-single-dc/values.yaml @@ -602,8 +602,13 @@ tyk-dashboard: runAsUser: 1000 fsGroup: 2000 containerSecurityContext: - runAsUser: 999 - runAsGroup: 999 + runAsNonRoot: true + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all nodeSelector: {} tolerations: [] affinity: {}