From e6c0a8075096560b6a8f4161da68002304c478a5 Mon Sep 17 00:00:00 2001 From: Eric Paulsen Date: Thu, 9 Feb 2023 12:23:18 -0500 Subject: [PATCH 1/2] helm: add deployment securityContext values --- helm/templates/coder.yaml | 3 +++ helm/values.yaml | 47 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/helm/templates/coder.yaml b/helm/templates/coder.yaml index d385c19aa27fc..81cea64c1bcd6 100644 --- a/helm/templates/coder.yaml +++ b/helm/templates/coder.yaml @@ -26,6 +26,7 @@ spec: labels: {{- include "coder.labels" . | nindent 8 }} spec: + securityContext: {{ toYaml .Values.coder.podSecurityContext | nindent 8 }} serviceAccountName: {{ .Values.coder.serviceAccount.name | quote }} restartPolicy: Always {{- with .Values.coder.image.pullSecrets }} @@ -48,6 +49,7 @@ spec: {{- with .Values.coder.initContainers }} initContainers: {{ toYaml . | nindent 8 }} + securityContext: {{ toYaml .Values.coder.securityContext | nindent 12 }} {{- end }} containers: - name: coder @@ -107,6 +109,7 @@ spec: {{- end }} {{- end }} {{- end }} + securityContext: {{ toYaml .Values.coder.securityContext | nindent 12 }} readinessProbe: httpGet: path: /api/v2/buildinfo diff --git a/helm/values.yaml b/helm/values.yaml index 45bfad2558aa5..ee4c40ca2c740 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -50,6 +50,53 @@ coder: # coder.serviceAccount.name -- The service account name name: coder + # coder.podSecurityContext -- Fields related to the pod's security context + # (as opposed to the container). Some fields are also present in the + # container security context, which will take precedence over these values. + podSecurityContext: + # coder.podSecurityContext.runAsNonRoot -- Requires that containers in + # the pod run as an unprivileged user. If setting runAsUser to 0 (root), + # this will need to be set to false. + runAsNonRoot: true + # coder.podSecurityContext.runAsUser -- Sets the user id of the pod. + # For security reasons, we recommend using a non-root user. + runAsUser: 1000 + # coder.podSecurityContext.runAsGroup -- Sets the group id of the pod. + # For security reasons, we recommend using a non-root group. + runAsGroup: 1000 + # coder.podSecurityContext.seccompProfile -- Sets the seccomp profile + # for the pod. If set, the container security context setting will take + # precedence over this value. + seccompProfile: + type: RuntimeDefault + + # coder.securityContext -- Fields related to the container's security + # context (as opposed to the pod). Some fields are also present in the pod + # security context, in which case these values will take precedence. + securityContext: + # coder.securityContext.runAsNonRoot -- Requires that the coder container + # runs as an unprivileged user. If setting runAsUser to 0 (root), this + # will need to be set to false. + runAsNonRoot: true + # coder.securityContext.runAsUser -- Sets the user id of the pod. + # For security reasons, we recommend using a non-root user. + runAsUser: 1000 + # coder.securityContext.runAsGroup -- Sets the group id of the pod. + # For security reasons, we recommend using a non-root group. + runAsGroup: 1000 + # coder.securityContext.readOnlyRootFilesystem -- Mounts the container's + # root filesystem as read-only. It is recommended to leave this setting + # enabled in production. This will override the same setting in the pod + readOnlyRootFilesystem: true + # coder.securityContext.seccompProfile -- Sets the seccomp profile for + # the coder container. + seccompProfile: + type: RuntimeDefault + # coder.securityContext.allowPrivilegeEscalation -- Controls whether + # the container can gain additional privileges, such as escalating to + # root. It is recommended to leave this setting disabled in production. + allowPrivilegeEscalation: false + # coder.env -- The environment variables to set for Coder. These can be used # to configure all aspects of `coder server`. Please see `coder server --help` # for information about what environment variables can be set. From a014ae97bb8c192d5bc3e7401254f90d913f8b5f Mon Sep 17 00:00:00 2001 From: Eric Paulsen Date: Thu, 9 Feb 2023 12:51:13 -0500 Subject: [PATCH 2/2] rm: podSecurityContext --- helm/templates/coder.yaml | 2 -- helm/values.yaml | 20 -------------------- 2 files changed, 22 deletions(-) diff --git a/helm/templates/coder.yaml b/helm/templates/coder.yaml index 81cea64c1bcd6..6326a9adfb494 100644 --- a/helm/templates/coder.yaml +++ b/helm/templates/coder.yaml @@ -26,7 +26,6 @@ spec: labels: {{- include "coder.labels" . | nindent 8 }} spec: - securityContext: {{ toYaml .Values.coder.podSecurityContext | nindent 8 }} serviceAccountName: {{ .Values.coder.serviceAccount.name | quote }} restartPolicy: Always {{- with .Values.coder.image.pullSecrets }} @@ -49,7 +48,6 @@ spec: {{- with .Values.coder.initContainers }} initContainers: {{ toYaml . | nindent 8 }} - securityContext: {{ toYaml .Values.coder.securityContext | nindent 12 }} {{- end }} containers: - name: coder diff --git a/helm/values.yaml b/helm/values.yaml index ee4c40ca2c740..5d8fd84a26e76 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -50,26 +50,6 @@ coder: # coder.serviceAccount.name -- The service account name name: coder - # coder.podSecurityContext -- Fields related to the pod's security context - # (as opposed to the container). Some fields are also present in the - # container security context, which will take precedence over these values. - podSecurityContext: - # coder.podSecurityContext.runAsNonRoot -- Requires that containers in - # the pod run as an unprivileged user. If setting runAsUser to 0 (root), - # this will need to be set to false. - runAsNonRoot: true - # coder.podSecurityContext.runAsUser -- Sets the user id of the pod. - # For security reasons, we recommend using a non-root user. - runAsUser: 1000 - # coder.podSecurityContext.runAsGroup -- Sets the group id of the pod. - # For security reasons, we recommend using a non-root group. - runAsGroup: 1000 - # coder.podSecurityContext.seccompProfile -- Sets the seccomp profile - # for the pod. If set, the container security context setting will take - # precedence over this value. - seccompProfile: - type: RuntimeDefault - # coder.securityContext -- Fields related to the container's security # context (as opposed to the pod). Some fields are also present in the pod # security context, in which case these values will take precedence.