This is an automated email from the ASF dual-hosted git repository.
adutra pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/polaris.git
The following commit(s) were added to refs/heads/main by this push:
new fcdb4bd4 Helm chart: enforce strong security contexts by default
(#1080)
fcdb4bd4 is described below
commit fcdb4bd4f00d08002d5b82cbbe0e458df912cf70
Author: Alexandre Dutra <[email protected]>
AuthorDate: Fri Feb 28 09:43:19 2025 +0100
Helm chart: enforce strong security contexts by default (#1080)
This change enforces a strong default security context for both the pod and
the container. Polaris default Docker images are compatible with such contexts.
---
helm/polaris/README.md | 6 ++++--
helm/polaris/tests/deployment_test.yaml | 36 ++++++++++++++++++++++++---------
helm/polaris/values.yaml | 21 ++++++++++---------
3 files changed, 42 insertions(+), 21 deletions(-)
diff --git a/helm/polaris/README.md b/helm/polaris/README.md
index 9ac6eb43..617848a4 100644
--- a/helm/polaris/README.md
+++ b/helm/polaris/README.md
@@ -148,7 +148,8 @@ helm uninstall --namespace polaris polaris
| autoscaling.targetCPUUtilizationPercentage | int | `80` | Optional; set to
zero or empty to disable. |
| autoscaling.targetMemoryUtilizationPercentage | string | `nil` | Optional;
set to zero or empty to disable. |
| configMapLabels | object | `{}` | Additional Labels to apply to polaris
configmap. |
-| containerSecurityContext | object | `{}` | Security context for the polaris
container. See
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/. |
+| containerSecurityContext | object |
`{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsNonRoot":true,"runAsUser":10000,"seccompProfile":{"type":"RuntimeDefault"}}`
| Security context for the polaris container. See
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/. |
+| containerSecurityContext.runAsUser | int | `10000` | UID 10000 is compatible
with Polaris OSS default images; change this if you are using a different
image. |
| cors | object |
`{"accessControlAllowCredentials":null,"accessControlMaxAge":null,"allowedHeaders":[],"allowedMethods":[],"allowedOrigins":[],"exposedHeaders":[]}`
| Polaris CORS configuration. |
| cors.accessControlAllowCredentials | string | `nil` | The
`Access-Control-Allow-Credentials` response header. The value of this header
will default to `true` if `allowedOrigins` property is set and there is a match
with the precise `Origin` header. |
| cors.accessControlMaxAge | string | `nil` | The `Access-Control-Max-Age`
response header value indicating how long the results of a pre-flight request
can be cached. Must be a valid duration. |
@@ -230,7 +231,8 @@ helm uninstall --namespace polaris polaris
| persistence.type | string | `"eclipse-link"` | The type of persistence to
use. Two built-in types are supported: in-memory and eclipse-link. |
| podAnnotations | object | `{}` | Annotations to apply to polaris pods. |
| podLabels | object | `{}` | Additional Labels to apply to polaris pods. |
-| podSecurityContext | object | `{}` | Security context for the polaris pod.
See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/.
|
+| podSecurityContext | object |
`{"fsGroup":10001,"seccompProfile":{"type":"RuntimeDefault"}}` | Security
context for the polaris pod. See
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/. |
+| podSecurityContext.fsGroup | int | `10001` | GID 10001 is compatible with
Polaris OSS default images; change this if you are using a different image. |
| rateLimiter | object |
`{"tokenBucket":{"requestsPerSecond":9999,"type":"default","window":"PT10S"},"type":"no-op"}`
| Polaris rate limiter configuration. |
| rateLimiter.tokenBucket | object |
`{"requestsPerSecond":9999,"type":"default","window":"PT10S"}` | The
configuration for the default rate limiter, which uses the token bucket
algorithm with one bucket per realm. |
| rateLimiter.tokenBucket.requestsPerSecond | int | `9999` | The maximum
number of requests per second allowed for each realm. |
diff --git a/helm/polaris/tests/deployment_test.yaml
b/helm/polaris/tests/deployment_test.yaml
index 802ada10..1d457ade 100644
--- a/helm/polaris/tests/deployment_test.yaml
+++ b/helm/polaris/tests/deployment_test.yaml
@@ -232,19 +232,23 @@ tests:
value: polaris-sa
# spec.template.spec.securityContext
- - it: should not set securityContext by default
+ - it: should set securityContext by default
asserts:
- - notExists:
+ - isSubset:
path: spec.template.spec.securityContext
- - it: should set securityContext
+ content:
+ fsGroup: 10001
+ seccompProfile:
+ type: RuntimeDefault
+ - it: should set custom securityContext
set:
podSecurityContext:
- runAsUser: 1000
+ fsGroup: 1234
asserts:
- isSubset:
path: spec.template.spec.securityContext
content:
- runAsUser: 1000
+ fsGroup: 1234
# spec.template.spec.containers
- it: should set container name
@@ -254,19 +258,31 @@ tests:
value: polaris
# spec.template.spec.containers[0].securityContext
- - it: should not set container securityContext by default
+ - it: should set container securityContext by default
asserts:
- - notExists:
+ - isSubset:
path: spec.template.spec.containers[0].securityContext
- - it: should set container securityContext
+ content:
+ allowPrivilegeEscalation: false
+ runAsNonRoot: true
+ runAsUser: 10000
+ capabilities:
+ drop: [ "ALL" ]
+ seccompProfile:
+ type: RuntimeDefault
+ - it: should set custom container securityContext
set:
containerSecurityContext:
- runAsUser: 1000
+ allowPrivilegeEscalation: true
+ runAsNonRoot: false
+ runAsUser: 1234
asserts:
- isSubset:
path: spec.template.spec.containers[0].securityContext
content:
- runAsUser: 1000
+ allowPrivilegeEscalation: true
+ runAsNonRoot: false
+ runAsUser: 1234
# spec.template.spec.containers[0].image
- it: should set container image
diff --git a/helm/polaris/values.yaml b/helm/polaris/values.yaml
index 3a1fb7eb..7713d8ca 100644
--- a/helm/polaris/values.yaml
+++ b/helm/polaris/values.yaml
@@ -67,18 +67,21 @@ revisionHistoryLimit: ~
# -- Security context for the polaris pod. See
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/.
podSecurityContext:
- {}
- # fsGroup: 2000
+ # -- GID 10001 is compatible with Polaris OSS default images; change this if
you are using a different image.
+ fsGroup: 10001
+ seccompProfile:
+ type: RuntimeDefault
# -- Security context for the polaris container. See
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/.
containerSecurityContext:
- {}
- # capabilities:
- # drop:
- # - ALL
- # readOnlyRootFilesystem: true
- # runAsNonRoot: true
- # runAsUser: 1000
+ allowPrivilegeEscalation: false
+ runAsNonRoot: true
+ # -- UID 10000 is compatible with Polaris OSS default images; change this if
you are using a different image.
+ runAsUser: 10000
+ capabilities:
+ drop: ["ALL"]
+ seccompProfile:
+ type: RuntimeDefault
# -- Polaris main service settings.
service:
