diff --git a/CHANGELOG.md b/CHANGELOG.md index 61b2c4b61d..7efca61c16 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,10 @@ and this project adheres to ## [Unreleased] +### Added + +- 🔒(helm) Set default security context + ## [4.2.0] - 2025-12-17 ### Added diff --git a/src/helm/impress/templates/backend_cronjob_list.yaml b/src/helm/impress/templates/backend_cronjob_list.yaml index 5593eb3ad7..73dbc1f8a8 100644 --- a/src/helm/impress/templates/backend_cronjob_list.yaml +++ b/src/helm/impress/templates/backend_cronjob_list.yaml @@ -42,9 +42,20 @@ items: {{- if $envVars}} {{- $envVars | indent 22 }} {{- end }} - {{- with $.Values.backend.securityContext }} + {{- if .Values.backend.securityContext }} + {{- with .Values.backend.securityContext }} securityContext: - {{- toYaml . | nindent 22 }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- else }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault {{- end }} {{- with $.Values.backend.resources }} resources: diff --git a/src/helm/impress/templates/backend_deployment.yaml b/src/helm/impress/templates/backend_deployment.yaml index a60b791dad..0a9fdf5fa4 100644 --- a/src/helm/impress/templates/backend_deployment.yaml +++ b/src/helm/impress/templates/backend_deployment.yaml @@ -53,10 +53,20 @@ spec: {{- if $envVars}} {{- $envVars | indent 12 }} {{- end }} + {{- if .Values.backend.securityContext }} {{- with .Values.backend.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} + {{- else }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault ports: - name: http containerPort: {{ .Values.backend.service.targetPort }} diff --git a/src/helm/impress/templates/backend_job.yml b/src/helm/impress/templates/backend_job.yml index 4888a904aa..6b7d35b616 100644 --- a/src/helm/impress/templates/backend_job.yml +++ b/src/helm/impress/templates/backend_job.yml @@ -48,10 +48,20 @@ spec: {{- if $envVars}} {{- $envVars | indent 12 }} {{- end }} + {{- if .Values.backend.securityContext }} {{- with .Values.backend.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} + {{- else }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault {{- with .Values.backend.resources }} resources: {{- toYaml . | nindent 12 }} diff --git a/src/helm/impress/templates/backend_job_createsuperuser.yaml b/src/helm/impress/templates/backend_job_createsuperuser.yaml index 0096483ccd..89246dd0a9 100644 --- a/src/helm/impress/templates/backend_job_createsuperuser.yaml +++ b/src/helm/impress/templates/backend_job_createsuperuser.yaml @@ -52,10 +52,20 @@ spec: {{- if $envVars}} {{- $envVars | indent 12 }} {{- end }} + {{- if .Values.backend.securityContext }} {{- with .Values.backend.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} + {{- else }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault {{- with .Values.backend.resources }} resources: {{- toYaml . | nindent 12 }} diff --git a/src/helm/impress/templates/backend_job_migrate.yaml b/src/helm/impress/templates/backend_job_migrate.yaml index 99e58ba110..df409106d5 100644 --- a/src/helm/impress/templates/backend_job_migrate.yaml +++ b/src/helm/impress/templates/backend_job_migrate.yaml @@ -52,10 +52,20 @@ spec: {{- if $envVars}} {{- $envVars | indent 12 }} {{- end }} + {{- if .Values.backend.securityContext }} {{- with .Values.backend.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} + {{- else }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault {{- with .Values.backend.resources }} resources: {{- toYaml . | nindent 12 }} diff --git a/src/helm/impress/templates/celery_worker_deployment.yaml b/src/helm/impress/templates/celery_worker_deployment.yaml index 3fc278b0b2..092cca1706 100644 --- a/src/helm/impress/templates/celery_worker_deployment.yaml +++ b/src/helm/impress/templates/celery_worker_deployment.yaml @@ -53,10 +53,20 @@ spec: {{- if $envVars}} {{- $envVars | indent 12 }} {{- end }} + {{- if .Values.backend.securityContext }} {{- with .Values.backend.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} + {{- else }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault ports: - name: http containerPort: {{ .Values.backend.service.targetPort }} diff --git a/src/helm/impress/templates/frontend_deployment.yaml b/src/helm/impress/templates/frontend_deployment.yaml index 584d26452b..91efa6d823 100644 --- a/src/helm/impress/templates/frontend_deployment.yaml +++ b/src/helm/impress/templates/frontend_deployment.yaml @@ -53,10 +53,20 @@ spec: {{- if $envVars}} {{- $envVars | indent 12 }} {{- end }} + {{- if .Values.frontend.securityContext }} {{- with .Values.frontend.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} + {{- else }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault ports: - name: http containerPort: {{ .Values.frontend.service.targetPort }} diff --git a/src/helm/impress/templates/yprovider_deployment.yaml b/src/helm/impress/templates/yprovider_deployment.yaml index c920037c58..d749f74988 100644 --- a/src/helm/impress/templates/yprovider_deployment.yaml +++ b/src/helm/impress/templates/yprovider_deployment.yaml @@ -53,10 +53,21 @@ spec: {{- if $envVars}} {{- $envVars | indent 12 }} {{- end }} + {{- if .Values.yProvider.securityContext }} {{- with .Values.yProvider.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} + {{- else }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + {{- end }} ports: - name: http containerPort: {{ .Values.yProvider.service.targetPort }}