Merge pull request #622 from snyk/fix/volume-mount-permissions

Fix/volume mount permissions

Author: ivanstanev

snyk-monitor/templates/deployment.yaml

@@ -23,10 +23,18 @@ spec:
       initContainers:
         - name: volume-permissions
           image: "{{ .Values.initContainerImage.repository }}:{{ .Values.initContainerImage.tag }}"
-          command : ['sh', '-c', 'chmod -R 777 /var/tmp']
+          command : ['sh', '-c', 'chmod -R g+rwX /var/tmp || true']
           volumeMounts:
             - name: temporary-storage
               mountPath: "/var/tmp"
+          securityContext:
+            privileged: false
+            runAsNonRoot: false
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
       containers:
         - name: {{ include "snyk-monitor.name" . }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"

test/fixtures/operator/custom-resource-k8s.yaml

@@ -5,3 +5,4 @@ metadata:
   namespace: marketplace
 spec:
   integrationApi: https://kubernetes-upstream.dev.snyk.io
+  temporaryStorageSize: 20Gi

test/fixtures/operator/custom-resource.yaml

@@ -5,3 +5,4 @@ metadata:
   namespace: snyk-monitor
 spec:
   integrationApi: https://kubernetes-upstream.dev.snyk.io
+  temporaryStorageSize: 20Gi

test/setup/deployers/helm.ts

@@ -32,6 +32,7 @@ async function deployKubernetesMonitor(
       '--set integrationApi=https://kubernetes-upstream.dev.snyk.io ' +
       '--set nodeSelector."kubernetes\\.io/os"=linux ' +
       '--set psp.enabled=true ' + 
+      '--set pvc.enabled=true ' +
       '--set log_level="INFO"'
   );
   console.log(`Deployed ${imageOptions.nameAndTag} with pull policy ${imageOptions.pullPolicy}`);