Feat(#199): hardening cleaner, making desktop a little better

commjoen · commjoen · commit 23db88469200 · 2023-03-08T11:22:41.000+01:00
diff --git a/helm/wrongsecrets-ctf-party/templates/cleanup/cron-job.yaml b/helm/wrongsecrets-ctf-party/templates/cleanup/cron-job.yaml
@@ -20,13 +20,22 @@ spec:
             helm.sh/chart: {{ include "wrongsecrets-ctf-party.chart" . }}
         spec:
           serviceAccountName: 'wrongsecrets-cleaner'
-          {{- with .Values.wrongsecretsCleanup.securityContext }}
           securityContext:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
+            runAsUser: 1000
+            runAsGroup: 3000
+            fsGroup: 2000
           containers:
             - image: '{{ .Values.wrongsecretsCleanup.repository }}:{{ .Values.wrongsecretsCleanup.tag | default (printf "v%s" .Chart.Version) }}'
               imagePullPolicy: {{ .Values.imagePullPolicy | quote }}
+              securityContext:
+                allowPrivilegeEscalation: false
+                readOnlyRootFilesystem: true
+                runAsNonRoot: true
+                capabilities:
+                  drop:
+                    - ALL
+                seccompProfile:
+                  type: RuntimeDefault
               name: 'cleanup-job'
               env:
                 - name: NAMESPACE
diff --git a/helm/wrongsecrets-ctf-party/values.yaml b/helm/wrongsecrets-ctf-party/values.yaml
@@ -221,6 +221,7 @@ virtualdesktop:
   runtimeClassName: {}
   affinity: {}
   # -- Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
+
   envFrom: []
   tolerations: []
 
@@ -242,15 +243,6 @@ wrongsecretsCleanup:
       memory: 256Mi
     limits:
       memory: 256Mi
-  securityContext:
-    allowPrivilegeEscalation: false
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    capabilities:
-      drop:
-        - ALL
-    seccompProfile:
-      type: RuntimeDefault
   # -- Optional Configure kubernetes scheduling affinity for the wrongsecretsCleanup Job(see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
   affinity: {}
   # -- Optional Configure kubernetes toleration for the wrongsecretsCleanup Job (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
diff --git a/wrongsecrets-balancer/src/kubernetes.js b/wrongsecrets-balancer/src/kubernetes.js
@@ -35,7 +35,7 @@ const createNameSpaceForTeam = async (team) => {
     labels: {
       name: `t-${team}`,
       'pod-security.kubernetes.io/audit': 'restricted',
-      'pod-security.kubernetes.io/enforce': 'baseline',
+      // 'pod-security.kubernetes.io/enforce': 'baseline',
     },
   };
   k8sCoreApi.createNamespace(namedNameSpace).catch((error) => {
@@ -1097,15 +1097,25 @@ const createDesktopDeploymentForTeam = async ({ team, passcodeHash }) => {
                   'ephemeral-storage': '8Gi',
                 },
               },
-              // resources: get('virtualdesktop.resources'),
+              // // resources: get('virtualdesktop.resources'),
               securityContext: {
                 allowPrivilegeEscalation: true,
                 readOnlyRootFilesystem: false,
                 runAsNonRoot: false,
-                capabilities: { drop: ['ALL'], add:['CAP_SETGID','CAP_SETUID','CAP_CHOWN'] },
-                seccompProfile: { type: 'Unconfined' },
+                //   capabilities: { drop: ['ALL'], add:['CAP_SETGID','CAP_SETUID','CAP_CHOWN'] },
+                seccompProfile: { type: 'RuntimeDefault' },
               },
-              env: [...get('virtualdesktop.env', [])],
+              env: [
+                {
+                  name: 'PUID',
+                  value: '1000',
+                },
+                {
+                  name: 'PGID',
+                  value: '1000',
+                },
+                ...get('virtualdesktop.env', [])
+              ],
               envFrom: get('virtualdesktop.envFrom'),
               ports: [
                 {
