Skip to content

Commit ee29ddb

Browse files
PSanetraPSanetra
committed
feat(chart): Set allowPrivilegeEscalation: false
The container ports needed to be changed to 8080 and 8443 for this purpose. Service ports remain unchanged. The capability NET_BIND_SERVICE is still needed. Otherwise the nginx process can not even be started due to the file capability on `/usr/sbin/nginx` in the image. There is no change in the image.
1 parent f1843a9 commit ee29ddb

File tree

3 files changed

+38
-26
lines changed

3 files changed

+38
-26
lines changed

chart/tests/__snapshot__/config_test.yaml.snap

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,10 +7,10 @@ should render minimal values:
77
base_href: /
88
http:
99
enabled: true
10-
port: 80
10+
port: 8080
1111
https:
1212
enabled: false
13-
port: 443
13+
port: 8443
1414
ssl_certificate: /var/run/secrets/tls/tls.crt
1515
ssl_certificate_key: /var/run/secrets/tls/tls.key
1616
spa_config:

chart/tests/__snapshot__/deployment_test.yaml.snap

Lines changed: 33 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ should mount tls secret if openshift.route.enabled and openshift.route.tls.termi
2020
template:
2121
metadata:
2222
annotations:
23-
checksum/config-map: d2cf2f3a678c322f5883feac881f8be66a90c8fd
23+
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
2424
labels:
2525
app.kubernetes.io/component: frontend
2626
app.kubernetes.io/instance: default
@@ -39,7 +39,7 @@ should mount tls secret if openshift.route.enabled and openshift.route.tls.termi
3939
port: http
4040
name: single-page-application
4141
ports:
42-
- containerPort: 80
42+
- containerPort: 8080
4343
name: http
4444
protocol: TCP
4545
readinessProbe:
@@ -54,6 +54,7 @@ should mount tls secret if openshift.route.enabled and openshift.route.tls.termi
5454
cpu: 100m
5555
memory: 512Mi
5656
securityContext:
57+
allowPrivilegeEscalation: false
5758
capabilities:
5859
add:
5960
- NET_BIND_SERVICE
@@ -117,7 +118,7 @@ should not render replicas if autoscaling is enabled:
117118
template:
118119
metadata:
119120
annotations:
120-
checksum/config-map: d2cf2f3a678c322f5883feac881f8be66a90c8fd
121+
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
121122
labels:
122123
app.kubernetes.io/component: frontend
123124
app.kubernetes.io/instance: default
@@ -136,7 +137,7 @@ should not render replicas if autoscaling is enabled:
136137
port: http
137138
name: single-page-application
138139
ports:
139-
- containerPort: 80
140+
- containerPort: 8080
140141
name: http
141142
protocol: TCP
142143
readinessProbe:
@@ -151,6 +152,7 @@ should not render replicas if autoscaling is enabled:
151152
cpu: 100m
152153
memory: 512Mi
153154
securityContext:
155+
allowPrivilegeEscalation: false
154156
capabilities:
155157
add:
156158
- NET_BIND_SERVICE
@@ -207,7 +209,7 @@ should render minimal values:
207209
template:
208210
metadata:
209211
annotations:
210-
checksum/config-map: d2cf2f3a678c322f5883feac881f8be66a90c8fd
212+
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
211213
labels:
212214
app.kubernetes.io/component: frontend
213215
app.kubernetes.io/instance: default
@@ -226,7 +228,7 @@ should render minimal values:
226228
port: http
227229
name: single-page-application
228230
ports:
229-
- containerPort: 80
231+
- containerPort: 8080
230232
name: http
231233
protocol: TCP
232234
readinessProbe:
@@ -241,6 +243,7 @@ should render minimal values:
241243
cpu: 100m
242244
memory: 512Mi
243245
securityContext:
246+
allowPrivilegeEscalation: false
244247
capabilities:
245248
add:
246249
- NET_BIND_SERVICE
@@ -297,7 +300,7 @@ should render with affinity:
297300
template:
298301
metadata:
299302
annotations:
300-
checksum/config-map: d2cf2f3a678c322f5883feac881f8be66a90c8fd
303+
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
301304
labels:
302305
app.kubernetes.io/component: frontend
303306
app.kubernetes.io/instance: default
@@ -325,7 +328,7 @@ should render with affinity:
325328
port: http
326329
name: single-page-application
327330
ports:
328-
- containerPort: 80
331+
- containerPort: 8080
329332
name: http
330333
protocol: TCP
331334
readinessProbe:
@@ -340,6 +343,7 @@ should render with affinity:
340343
cpu: 100m
341344
memory: 512Mi
342345
securityContext:
346+
allowPrivilegeEscalation: false
343347
capabilities:
344348
add:
345349
- NET_BIND_SERVICE
@@ -396,7 +400,7 @@ should render with extra volume:
396400
template:
397401
metadata:
398402
annotations:
399-
checksum/config-map: d2cf2f3a678c322f5883feac881f8be66a90c8fd
403+
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
400404
labels:
401405
app.kubernetes.io/component: frontend
402406
app.kubernetes.io/instance: default
@@ -415,7 +419,7 @@ should render with extra volume:
415419
port: http
416420
name: single-page-application
417421
ports:
418-
- containerPort: 80
422+
- containerPort: 8080
419423
name: http
420424
protocol: TCP
421425
readinessProbe:
@@ -430,6 +434,7 @@ should render with extra volume:
430434
cpu: 100m
431435
memory: 512Mi
432436
securityContext:
437+
allowPrivilegeEscalation: false
433438
capabilities:
434439
add:
435440
- NET_BIND_SERVICE
@@ -493,7 +498,7 @@ should render with nodeSelector:
493498
template:
494499
metadata:
495500
annotations:
496-
checksum/config-map: d2cf2f3a678c322f5883feac881f8be66a90c8fd
501+
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
497502
labels:
498503
app.kubernetes.io/component: frontend
499504
app.kubernetes.io/instance: default
@@ -512,7 +517,7 @@ should render with nodeSelector:
512517
port: http
513518
name: single-page-application
514519
ports:
515-
- containerPort: 80
520+
- containerPort: 8080
516521
name: http
517522
protocol: TCP
518523
readinessProbe:
@@ -527,6 +532,7 @@ should render with nodeSelector:
527532
cpu: 100m
528533
memory: 512Mi
529534
securityContext:
535+
allowPrivilegeEscalation: false
530536
capabilities:
531537
add:
532538
- NET_BIND_SERVICE
@@ -585,7 +591,7 @@ should render with pull secret:
585591
template:
586592
metadata:
587593
annotations:
588-
checksum/config-map: d2cf2f3a678c322f5883feac881f8be66a90c8fd
594+
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
589595
labels:
590596
app.kubernetes.io/component: frontend
591597
app.kubernetes.io/instance: default
@@ -604,7 +610,7 @@ should render with pull secret:
604610
port: http
605611
name: single-page-application
606612
ports:
607-
- containerPort: 80
613+
- containerPort: 8080
608614
name: http
609615
protocol: TCP
610616
readinessProbe:
@@ -619,6 +625,7 @@ should render with pull secret:
619625
cpu: 100m
620626
memory: 512Mi
621627
securityContext:
628+
allowPrivilegeEscalation: false
622629
capabilities:
623630
add:
624631
- NET_BIND_SERVICE
@@ -677,7 +684,7 @@ should render with tolerations:
677684
template:
678685
metadata:
679686
annotations:
680-
checksum/config-map: d2cf2f3a678c322f5883feac881f8be66a90c8fd
687+
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
681688
labels:
682689
app.kubernetes.io/component: frontend
683690
app.kubernetes.io/instance: default
@@ -696,7 +703,7 @@ should render with tolerations:
696703
port: http
697704
name: single-page-application
698705
ports:
699-
- containerPort: 80
706+
- containerPort: 8080
700707
name: http
701708
protocol: TCP
702709
readinessProbe:
@@ -711,6 +718,7 @@ should render with tolerations:
711718
cpu: 100m
712719
memory: 512Mi
713720
securityContext:
721+
allowPrivilegeEscalation: false
714722
capabilities:
715723
add:
716724
- NET_BIND_SERVICE
@@ -771,7 +779,7 @@ should support alternative http port:
771779
template:
772780
metadata:
773781
annotations:
774-
checksum/config-map: a65dc1dcf5388bced1711c8a1233763c4cfb3441
782+
checksum/config-map: 43633eff2ae8df4ab6f985258e64f974bb811f35
775783
labels:
776784
app.kubernetes.io/component: frontend
777785
app.kubernetes.io/instance: default
@@ -805,6 +813,7 @@ should support alternative http port:
805813
cpu: 100m
806814
memory: 512Mi
807815
securityContext:
816+
allowPrivilegeEscalation: false
808817
capabilities:
809818
add:
810819
- NET_BIND_SERVICE
@@ -861,7 +870,7 @@ should support alternative https port:
861870
template:
862871
metadata:
863872
annotations:
864-
checksum/config-map: dce4af80cd48a768c53dfab8d2832b9a29701d5e
873+
checksum/config-map: d1faa34c3b94b214e37c114b061939cf7d75d9d5
865874
labels:
866875
app.kubernetes.io/component: frontend
867876
app.kubernetes.io/instance: default
@@ -880,7 +889,7 @@ should support alternative https port:
880889
port: http
881890
name: single-page-application
882891
ports:
883-
- containerPort: 80
892+
- containerPort: 8080
884893
name: http
885894
protocol: TCP
886895
- containerPort: 8443
@@ -898,6 +907,7 @@ should support alternative https port:
898907
cpu: 100m
899908
memory: 512Mi
900909
securityContext:
910+
allowPrivilegeEscalation: false
901911
capabilities:
902912
add:
903913
- NET_BIND_SERVICE
@@ -954,7 +964,7 @@ should support enabling https:
954964
template:
955965
metadata:
956966
annotations:
957-
checksum/config-map: 321726841793faccc874ccca587d3c1092e28a33
967+
checksum/config-map: d1faa34c3b94b214e37c114b061939cf7d75d9d5
958968
labels:
959969
app.kubernetes.io/component: frontend
960970
app.kubernetes.io/instance: default
@@ -973,10 +983,10 @@ should support enabling https:
973983
port: http
974984
name: single-page-application
975985
ports:
976-
- containerPort: 80
986+
- containerPort: 8080
977987
name: http
978988
protocol: TCP
979-
- containerPort: 443
989+
- containerPort: 8443
980990
name: https
981991
protocol: TCP
982992
readinessProbe:
@@ -991,6 +1001,7 @@ should support enabling https:
9911001
cpu: 100m
9921002
memory: 512Mi
9931003
securityContext:
1004+
allowPrivilegeEscalation: false
9941005
capabilities:
9951006
add:
9961007
- NET_BIND_SERVICE

chart/values.yaml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,10 +10,10 @@ config:
1010
endpoints: {}
1111
http:
1212
enabled: true
13-
port: 80
13+
port: 8080
1414
https:
1515
enabled: false
16-
port: 443
16+
port: 8443
1717
ssl_certificate: /var/run/secrets/tls/tls.crt
1818
ssl_certificate_key: /var/run/secrets/tls/tls.key
1919

@@ -57,6 +57,7 @@ pod:
5757
- NET_BIND_SERVICE
5858
readOnlyRootFilesystem: true
5959
runAsNonRoot: true
60+
allowPrivilegeEscalation: false
6061
livenessProbe:
6162
httpGet:
6263
path: /health/liveness

0 commit comments

Comments
 (0)