Feat(#199): retry, but still no cigar

commjoen · commjoen · commit 6891d26eac05 · 2023-03-07T16:21:57.000+01:00
diff --git a/helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/deployment.yaml b/helm/wrongsecrets-ctf-party/templates/wrongsecrets-balancer/deployment.yaml
@@ -24,10 +24,6 @@ spec:
         runAsGroup: 3000
         fsGroup: 2000
       serviceAccountName: wrongsecrets-balancer
-      {{- with .Values.balancer.securityContext }}
-      securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: '{{ .Values.balancer.repository }}:{{ .Values.balancer.tag | default (printf "v%s" .Chart.Version) }}'
@@ -94,6 +90,12 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
             runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - CAP_NET_ADMIN
+                - CAP_NET_BIND_SERVICE
           volumeMounts:
             - name: config-volume
               mountPath: /home/app/config/
diff --git a/helm/wrongsecrets-ctf-party/values.yaml b/helm/wrongsecrets-ctf-party/values.yaml
@@ -36,7 +36,7 @@ balancer:
   repository: jeroenwillemsen/wrongsecrets-balancer
   tag: 1.7aws
   # -- Number of replicas of the wrongsecrets-balancer deployment. Changing this in a commit? PLEASE UPDATE THE GITHUB WORKLFOWS THEN!(NUMBER OF "TRUE")
-  replicas: 4
+  replicas: 2
   service:
     # -- Kubernetes service type
     type: ClusterIP
@@ -62,6 +62,9 @@ balancer:
     capabilities:
       drop:
         - ALL
+      add:
+        - CAP_NET_ADMIN
+        - CAP_NET_BIND_SERVICE
     seccompProfile:
       type: RuntimeDefault
   # -- Optional Configure kubernetes scheduling affinity for the created JuiceShops (see: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
diff --git a/wrongsecrets-balancer/src/kubernetes.js b/wrongsecrets-balancer/src/kubernetes.js
@@ -1103,7 +1103,7 @@ const createDesktopDeploymentForTeam = async ({ team, passcodeHash }) => {
                 readOnlyRootFilesystem: false,
                 runAsNonRoot: false,
                 capabilities: { drop: ['ALL'], add:['CAP_SETGID','CAP_SETUID','CAP_CHOWN'] },
-                seccompProfile: { type: 'RuntimeDefault' },
+                seccompProfile: { type: 'Unconfined' },
               },
               env: [...get('virtualdesktop.env', [])],
               envFrom: get('virtualdesktop.envFrom'),
