From 3ec606ee0c2bc50face16f2930459cc19fba79e4 Mon Sep 17 00:00:00 2001 From: Daniel Jankowski Date: Wed, 26 Jun 2024 11:47:43 +0200 Subject: [PATCH 1/4] feat: add containerSecurityContext for team-edition --- charts/mattermost-team-edition/templates/deployment.yaml | 8 ++++++++ charts/mattermost-team-edition/values.yaml | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/charts/mattermost-team-edition/templates/deployment.yaml b/charts/mattermost-team-edition/templates/deployment.yaml index 488127a9..bead0cbc 100644 --- a/charts/mattermost-team-edition/templates/deployment.yaml +++ b/charts/mattermost-team-edition/templates/deployment.yaml @@ -54,6 +54,10 @@ spec: image: "{{ .Values.initContainerImage.repository }}:{{ .Values.initContainerImage.tag }}" imagePullPolicy: {{ .Values.initContainerImage.imagePullPolicy }} command: ["sh", "-c", "until curl --max-time 10 http://{{ .Release.Name }}-mysql:3306; do echo waiting for {{ .Release.Name }}-mysql; sleep 5; done;"] + {{- if .Values.containerSecurityContext }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 10 }} + {{- end }} {{- end }} {{- if .Values.extraInitContainers }} {{- .Values.extraInitContainers | toYaml | nindent 6 }} @@ -95,6 +99,10 @@ spec: httpGet: path: /api/v4/system/ping port: http + {{- if .Values.containerSecurityContext }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 10 }} + {{- end }} volumeMounts: - mountPath: /mattermost/config name: mattermost-config diff --git a/charts/mattermost-team-edition/values.yaml b/charts/mattermost-team-edition/values.yaml index 3da87787..6e1c768e 100644 --- a/charts/mattermost-team-edition/values.yaml +++ b/charts/mattermost-team-edition/values.yaml @@ -217,6 +217,12 @@ securityContext: # runAsGroup: 2000 # runAsUser: 2000 +containerSecurityContext: + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: ['ALL'] + serviceAccount: create: false name: From 5f9e021a6fe77cc5557cce36a2aedabde1052d6b Mon Sep 17 00:00:00 2001 From: Daniel Jankowski Date: Wed, 26 Jun 2024 11:48:38 +0200 Subject: [PATCH 2/4] feat: add containerSecurityContext for enterprise-edition --- .../templates/deployment-mattermost-app.yaml | 8 ++++++++ .../templates/deployment-mattermost-jobserver.yaml | 8 ++++++++ charts/mattermost-enterprise-edition/values.yaml | 6 ++++++ 3 files changed, 22 insertions(+) diff --git a/charts/mattermost-enterprise-edition/templates/deployment-mattermost-app.yaml b/charts/mattermost-enterprise-edition/templates/deployment-mattermost-app.yaml index 467ef8d0..a032ace4 100644 --- a/charts/mattermost-enterprise-edition/templates/deployment-mattermost-app.yaml +++ b/charts/mattermost-enterprise-edition/templates/deployment-mattermost-app.yaml @@ -72,6 +72,10 @@ spec: - name: init-mysql image: "{{ .Values.initContainerImage.repository }}:{{ .Values.initContainerImage.tag }}" imagePullPolicy: {{ .Values.initContainerImage.imagePullPolicy }} + {{- if .Values.mattermostApp.containerSecurityContext }} + securityContext: + {{- toYaml .Values.mattermostApp.containerSecurityContext | nindent 10 }} + {{- end }} command: [ "sh", "-c", @@ -161,6 +165,10 @@ spec: httpGet: path: /api/v4/system/ping port: {{ .Values.mattermostApp.service.internalPort }} + {{- if .Values.mattermostApp.containerSecurityContext }} + securityContext: + {{- toYaml .Values.mattermostApp.containerSecurityContext | nindent 10 }} + {{- end }} volumeMounts: {{- if .Values.global.existingLicenseSecret.name }} - mountPath: /mattermost/{{.Values.global.existingLicenseSecret.key }} diff --git a/charts/mattermost-enterprise-edition/templates/deployment-mattermost-jobserver.yaml b/charts/mattermost-enterprise-edition/templates/deployment-mattermost-jobserver.yaml index 8f86fc6a..3d2b9c77 100644 --- a/charts/mattermost-enterprise-edition/templates/deployment-mattermost-jobserver.yaml +++ b/charts/mattermost-enterprise-edition/templates/deployment-mattermost-jobserver.yaml @@ -60,6 +60,10 @@ spec: "-c", "until curl --max-time 5 http://{{ include "mattermost-enterprise-edition.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.mattermostApp.service.internalPort }}/api/v4/system/ping ; do echo waiting for Mattermost App come up; sleep 5; done; echo init-mattermost-app finished" ] + {{- if .Values.mattermostApp.containerSecurityContext }} + securityContext: + {{- toYaml .Values.mattermostApp.containerSecurityContext | nindent 10 }} + {{- end }} containers: - name: {{ include "mattermost-enterprise-edition.name" . }}-jobserver image: "{{ .Values.mattermostApp.image.repository }}:{{ .Values.mattermostApp.image.tag }}" @@ -79,6 +83,10 @@ spec: {{- with .Values.global.features.jobserver.extraEnv }} {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.mattermostApp.containerSecurityContext }} + securityContext: + {{- toYaml .Values.mattermostApp.containerSecurityContext | nindent 10 }} + {{- end }} volumeMounts: {{- if .Values.global.existingLicenseSecret.name }} - mountPath: /mattermost/{{.Values.global.existingLicenseSecret.key }} diff --git a/charts/mattermost-enterprise-edition/values.yaml b/charts/mattermost-enterprise-edition/values.yaml index fb09a91d..4acace45 100644 --- a/charts/mattermost-enterprise-edition/values.yaml +++ b/charts/mattermost-enterprise-edition/values.yaml @@ -195,6 +195,12 @@ mattermostApp: # runAsGroup: 2000 # runAsUser: 2000 + containerSecurityContext: + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: ['ALL'] + resources: {} # limits: # cpu: 100m From b67b5671fb1560443ab70c01de123fb7e428a88b Mon Sep 17 00:00:00 2001 From: Daniel Jankowski Date: Wed, 26 Jun 2024 18:28:51 +0200 Subject: [PATCH 3/4] chore: add comments for containerSecurityContext --- charts/mattermost-enterprise-edition/values.yaml | 2 ++ charts/mattermost-team-edition/values.yaml | 10 ++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/charts/mattermost-enterprise-edition/values.yaml b/charts/mattermost-enterprise-edition/values.yaml index 4acace45..7210409a 100644 --- a/charts/mattermost-enterprise-edition/values.yaml +++ b/charts/mattermost-enterprise-edition/values.yaml @@ -195,6 +195,8 @@ mattermostApp: # runAsGroup: 2000 # runAsUser: 2000 +## Container Security Context +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ containerSecurityContext: # runAsNonRoot: true # allowPrivilegeEscalation: false diff --git a/charts/mattermost-team-edition/values.yaml b/charts/mattermost-team-edition/values.yaml index 6e1c768e..ac8ff27f 100644 --- a/charts/mattermost-team-edition/values.yaml +++ b/charts/mattermost-team-edition/values.yaml @@ -217,11 +217,13 @@ securityContext: # runAsGroup: 2000 # runAsUser: 2000 +## Container Security Context +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ containerSecurityContext: - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: ['ALL'] + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: ['ALL'] serviceAccount: create: false From 781ffd2a16ff3506e42bb15ff9f45f8df98ceb8f Mon Sep 17 00:00:00 2001 From: Daniel Jankowski Date: Wed, 26 Jun 2024 18:34:03 +0200 Subject: [PATCH 4/4] chore: comment out default containerSecurityContext --- charts/mattermost-team-edition/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/mattermost-team-edition/values.yaml b/charts/mattermost-team-edition/values.yaml index ac8ff27f..e293b9b2 100644 --- a/charts/mattermost-team-edition/values.yaml +++ b/charts/mattermost-team-edition/values.yaml @@ -220,10 +220,10 @@ securityContext: ## Container Security Context ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ containerSecurityContext: - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: ['ALL'] + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: ['ALL'] serviceAccount: create: false