From a483eb055b16ce5f9e22ffca1b3815c10e761a07 Mon Sep 17 00:00:00 2001
From: YuryHrytsuk <yuryhrytsuk@gmail.com>
Date: Mon, 21 Jul 2025 08:44:09 +0200
Subject: [PATCH 1/2] Kubernetes simcore: add pod security standard

Ensure baseline policy and warn on restricted policy violations. The k8s
way to add pod security standard, is to add labels to the namespace. The
adding labels to namespace is achieved via helmfile hooks.

Add helpful defaults for pod & container security context to ensure
minimal privileges.

WARNING: if deployed pod does not conform with baseline policy, it
SILENTLY won't be scheduled. To see warnings / errors execute `kubectl
-n simcore events'

* https://github.com/ITISFoundation/osparc-ops-environments/issues/1137
---
 charts/SECURITY.md                            | 17 ++++++++++
 .../simcore-charts/common-helpers/Chart.yaml  |  2 +-
 .../common-helpers/templates/_helpers.tpl     | 33 +++++++++++++++++++
 charts/simcore-charts/namespace.yaml          | 16 +++++++++
 .../resource-usage-tracker/Chart.yaml         |  4 +--
 .../templates/deployment.yaml                 |  8 +++++
 .../resource-usage-tracker/values.yaml.gotmpl | 16 ++++-----
 7 files changed, 83 insertions(+), 13 deletions(-)
 create mode 100644 charts/SECURITY.md
 create mode 100644 charts/simcore-charts/namespace.yaml

diff --git a/charts/SECURITY.md b/charts/SECURITY.md
new file mode 100644
index 00000000..866cac4d
--- /dev/null
+++ b/charts/SECURITY.md
@@ -0,0 +1,17 @@
+# Security
+
+This file documents security measures and their configuration in current code base
+
+## Application developer
+
+Full list: https://kubernetes.io/docs/concepts/security/application-security-checklist/
+
+#### Pod-level securityContext recommendations
+
+Enable pod security standard on namespace level:
+* create namespace with labels https://aro-labs.com/pod-security-standards/
+* configure pod and container security context to satisfy security standards
+
+## Cluster / OPS developers
+
+Full list: https://kubernetes.io/docs/concepts/security/security-checklist/
diff --git a/charts/simcore-charts/common-helpers/Chart.yaml b/charts/simcore-charts/common-helpers/Chart.yaml
index 1927ce24..8685737b 100644
--- a/charts/simcore-charts/common-helpers/Chart.yaml
+++ b/charts/simcore-charts/common-helpers/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
+version: 0.0.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/simcore-charts/common-helpers/templates/_helpers.tpl b/charts/simcore-charts/common-helpers/templates/_helpers.tpl
index 2c391de3..4bb68553 100644
--- a/charts/simcore-charts/common-helpers/templates/_helpers.tpl
+++ b/charts/simcore-charts/common-helpers/templates/_helpers.tpl
@@ -72,3 +72,36 @@ data:
   {{- end }}
 {{- end }}
 {{- end -}}
+
+{{/*
+
+Usage:
+{{- include "common-helpers.defaultPodSecurityContext" . | nindent 0 }}
+
+Defines a common pod security context to ensure minimal privileges for containers.
+
+Values inspired from https://medium.com/dynatrace-engineering/kubernetes-security-part-3-security-context-7d44862c4cfa
+*/}}
+{{- define "common-helpers.defaultPodSecurityContext" -}}
+runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+{{- end -}}
+
+{{/*
+
+Usage:
+{{- include "common-helpers.defaultContainerSecurityContext" . | nindent 0 }}
+
+Defines a common container security context to ensure minimal privileges for containers.
+
+Values inspired from https://medium.com/dynatrace-engineering/kubernetes-security-part-3-security-context-7d44862c4cfa
+*/}}
+{{- define "common-helpers.defaultContainerSecurityContext" -}}
+privileged: false
+readOnlyRootFilesystem: true
+allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+{{- end -}}
diff --git a/charts/simcore-charts/namespace.yaml b/charts/simcore-charts/namespace.yaml
new file mode 100644
index 00000000..5614a6ae
--- /dev/null
+++ b/charts/simcore-charts/namespace.yaml
@@ -0,0 +1,16 @@
+# namespace with defined pod security standard
+# inspired from https://aro-labs.com/pod-security-standards/
+# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+#
+# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently)
+# execute `kubectl -n <namespace> events` to see errors (e.g.)
+#   Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged
+#   container "xyz" must not set securityContext.privileged to true
+#
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: simcore
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted
diff --git a/charts/simcore-charts/resource-usage-tracker/Chart.yaml b/charts/simcore-charts/resource-usage-tracker/Chart.yaml
index 5f4fca31..81347845 100644
--- a/charts/simcore-charts/resource-usage-tracker/Chart.yaml
+++ b/charts/simcore-charts/resource-usage-tracker/Chart.yaml
@@ -4,7 +4,7 @@ description: A Helm chart for Kubernetes
 
 dependencies:
   - name: common-helpers
-    version: 0.0.1
+    version: 0.0.2
     repository: "file://../common-helpers"
 
 # A chart can be either an 'application' or a 'library' chart.
@@ -20,7 +20,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
+version: 0.0.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/simcore-charts/resource-usage-tracker/templates/deployment.yaml b/charts/simcore-charts/resource-usage-tracker/templates/deployment.yaml
index 3e3884bc..7f9c56a5 100644
--- a/charts/simcore-charts/resource-usage-tracker/templates/deployment.yaml
+++ b/charts/simcore-charts/resource-usage-tracker/templates/deployment.yaml
@@ -29,11 +29,19 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "resource-usage-tracker.serviceAccountName" . }}
       securityContext:
+      {{- if .Values.podSecurityContext }}
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- else }}
+        {{- include "common-helpers.defaultPodSecurityContext" . | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
+          {{- if .Values.securityContext }}
             {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- else }}
+            {{- include "common-helpers.defaultContainerSecurityContext" . | nindent 12 }}
+          {{- end }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
diff --git a/charts/simcore-charts/resource-usage-tracker/values.yaml.gotmpl b/charts/simcore-charts/resource-usage-tracker/values.yaml.gotmpl
index 32459cb9..c385282f 100644
--- a/charts/simcore-charts/resource-usage-tracker/values.yaml.gotmpl
+++ b/charts/simcore-charts/resource-usage-tracker/values.yaml.gotmpl
@@ -28,16 +28,12 @@ serviceAccount:
 podAnnotations: {}
 podLabels: {}
 
-podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+podSecurityContext:
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  privileged: false
 
 service:
   type: ClusterIP

From c9401de30239dcd922e60039c8f638556ed95bc0 Mon Sep 17 00:00:00 2001
From: YuryHrytsuk <yuryhrytsuk@gmail.com>
Date: Mon, 21 Jul 2025 10:17:12 +0200
Subject: [PATCH 2/2] Improve security readme

---
 charts/SECURITY.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/SECURITY.md b/charts/SECURITY.md
index 866cac4d..76330916 100644
--- a/charts/SECURITY.md
+++ b/charts/SECURITY.md
@@ -9,8 +9,8 @@ Full list: https://kubernetes.io/docs/concepts/security/application-security-che
 #### Pod-level securityContext recommendations
 
 Enable pod security standard on namespace level:
-* create namespace with labels https://aro-labs.com/pod-security-standards/
-* configure pod and container security context to satisfy security standards
+* create namespace with labels (examples and explanations https://aro-labs.com/pod-security-standards/)
+* configure pod and container security context to satisfy security standards (read more https://medium.com/dynatrace-engineering/kubernetes-security-part-3-security-context-7d44862c4cfa)
 
 ## Cluster / OPS developers