🔒 (tandoor): Run as non-root container

gabe565 · Mar 26, 2023 · b582a66 · b582a66
1 parent 0d13340
commit b582a66
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 3 deletions.
diff --git a/charts/tandoor/Chart.yaml b/charts/tandoor/Chart.yaml
@@ -4,7 +4,7 @@ description: Application for managing recipes, planning meals, building shopping
 home: https://charts.gabe565.com/charts/tandoor
 icon: https://raw.githubusercontent.com/vabene1111/recipes/master/docs/logo_color.svg
 type: application
-version: 0.4.6
+version: 0.5.0
 # renovate datasource=docker depName=vabene1111/recipes
 appVersion: 1.4.8
 kubeVersion: ">=1.22.0-0"
@@ -29,4 +29,6 @@ sources:
 annotations:
   artifacthub.io/changes: |-
     - kind: changed
-      description: Update vabene1111/recipes Docker tag to v1.4.8
+      description: Run as non-root container
+    - kind: added
+      description: Add django-js-reverse emptyDir volume
diff --git a/charts/tandoor/README.md b/charts/tandoor/README.md
@@ -2,7 +2,7 @@
 
 <img src="https://raw.githubusercontent.com/vabene1111/recipes/master/docs/logo_color.svg" align="right" width="92" alt="tandoor logo">
 
-![Version: 0.4.6](https://img.shields.io/badge/Version-0.4.6-informational?style=flat)
+![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat)
 ![AppVersion: 1.4.8](https://img.shields.io/badge/AppVersion-1.4.8-informational?style=flat)
 
@@ -92,6 +92,9 @@ N/A
 | image.tag | string | `"1.4.8"` | image tag |
 | ingress.main | object | See [values.yaml](./values.yaml) | Enable and configure ingress settings for the chart under this key. |
 | persistence | object | See [values.yaml](./values.yaml) | Configure persistence settings for the chart under this key. |
+| podSecurityContext.fsGroup | int | `65534` | Volume binds will be granted to `nobody` group |
+| podSecurityContext.runAsGroup | int | `65534` | Run as `nobody` group |
+| podSecurityContext.runAsUser | int | `65534` | Run as `nobody` user |
 | postgresql | object | See [values.yaml](./values.yaml) | Enable and configure postgresql database subchart under this key. [[ref]](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) |
 | service.main | object | See [values.yaml](./values.yaml) | Configures service settings for the chart. |
 

diff --git a/charts/tandoor/templates/common.yaml b/charts/tandoor/templates/common.yaml
@@ -49,6 +49,9 @@ sidecars:
     ports:
       - containerPort: {{ .Values.service.main.ports.static.port }}
         name: static
+    securityContext:
+      runAsUser: 0
+      runAsGroup: 0
     volumeMounts:
       - name: nginx-config
         mountPath: /etc/nginx/conf.d/default.conf

diff --git a/charts/tandoor/values.yaml b/charts/tandoor/values.yaml
@@ -59,6 +59,10 @@ persistence:
     enabled: true
     type: emptyDir
     mountPath: /opt/recipes/staticfiles
+  django-js-reverse:
+    enabled: true
+    type: emptyDir
+    mountPath: /opt/recipes/cookbook/static/django_js_reverse
 
 # -- Enable and configure postgresql database subchart under this key. [[ref]](https://github.com/bitnami/charts/tree/master/bitnami/mariadb)
 # @default -- See [values.yaml](./values.yaml)
@@ -72,3 +76,11 @@ postgresql:
       enabled: false
       # storageClass: ""
       # size: 8Gi
+
+podSecurityContext:
+  # -- Run as `nobody` user
+  runAsUser: 65534
+  # -- Run as `nobody` group
+  runAsGroup: 65534
+  # -- Volume binds will be granted to `nobody` group
+  fsGroup: 65534