chore: update hydra secContext (#606)

ory · May 11, 2023 · d954541 · d954541
1 parent bfa1e74
commit d954541
Show file tree

Hide file tree

Showing 12 changed files with 30 additions and 17 deletions.
diff --git a/hacks/values/hydra.yaml b/hacks/values/hydra.yaml
@@ -38,7 +38,7 @@ janitor:
       drop:
         - ALL
   podSecurityContext:
-    runAsNonRoot: false
+    runAsNonRoot: true
 
 deployment:
   autoscaling:
@@ -124,7 +124,7 @@ watcher:
       drop:
         - ALL
   podSecurityContext:
-    runAsNonRoot: false
+    runAsNonRoot: true
 
 serviceMonitor:
   labels:
@@ -144,7 +144,7 @@ cronjob:
       annotations:
         ory.sh/pod_annotation: hydra
     podSecurityContext:
-      runAsNonRoot: false
+      runAsNonRoot: true
 
 test:
   labels:

diff --git a/helm/charts/example-idp/Chart.yaml b/helm/charts/example-idp/Chart.yaml
@@ -1,6 +1,8 @@
 apiVersion: v2
 appVersion: "1.4.6"
-description: A Helm chart for deploying the reference implementation for the User Login and Consent Flow in Kubernetes
+description:
+  A Helm chart for deploying the reference implementation for the User Login and
+  Consent Flow in Kubernetes
 name: example-idp
 version: 0.33.0
 type: application
diff --git a/helm/charts/example-idp/README.md b/helm/charts/example-idp/README.md
@@ -1,6 +1,6 @@
 # example-idp
 
-![Version: 0.32.0](https://img.shields.io/badge/Version-0.32.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.4.6](https://img.shields.io/badge/AppVersion-1.4.6-informational?style=flat-square)
+![Version: 0.33.0](https://img.shields.io/badge/Version-0.33.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.4.6](https://img.shields.io/badge/AppVersion-1.4.6-informational?style=flat-square)
 
 A Helm chart for deploying the reference implementation for the User Login and Consent Flow in Kubernetes
 

diff --git a/helm/charts/hydra-maester/README.md b/helm/charts/hydra-maester/README.md
@@ -1,6 +1,6 @@
 # hydra-maester
 
-![Version: 0.32.0](https://img.shields.io/badge/Version-0.32.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.23](https://img.shields.io/badge/AppVersion-v0.0.23-informational?style=flat-square)
+![Version: 0.33.0](https://img.shields.io/badge/Version-0.33.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.23](https://img.shields.io/badge/AppVersion-v0.0.23-informational?style=flat-square)
 
 A Helm chart for Kubernetes
 

diff --git a/helm/charts/hydra/README.md b/helm/charts/hydra/README.md
@@ -1,6 +1,6 @@
 # hydra
 
-![Version: 0.32.0](https://img.shields.io/badge/Version-0.32.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.1.1](https://img.shields.io/badge/AppVersion-v2.1.1-informational?style=flat-square)
+![Version: 0.33.0](https://img.shields.io/badge/Version-0.33.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.1.1](https://img.shields.io/badge/AppVersion-v2.1.1-informational?style=flat-square)
 
 A Helm chart for deploying ORY Hydra in Kubernetes
 
@@ -21,7 +21,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes
 
 | Repository | Name | Version |
 |------------|------|---------|
-| file://../hydra-maester | hydra-maester(hydra-maester) | 0.32.0 |
+| file://../hydra-maester | hydra-maester(hydra-maester) | 0.33.0 |
 
 ## Values
 
@@ -161,7 +161,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes
 | serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint |
 | test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository |
 | test.labels | object | `{}` | Provide additional labels to the test pod |
-| watcher | object | `{"enabled":false,"image":"oryd/k8s-toolbox:0.0.5","mountFile":"","podMetadata":{"annotations":{},"labels":{}},"podSecurityContext":{},"securityContext":{},"watchLabelKey":"ory.sh/watcher"}` | Sidecar watcher configuration |
+| watcher | object | `{"enabled":false,"image":"oryd/k8s-toolbox:0.0.5","mountFile":"","podMetadata":{"annotations":{},"labels":{}},"podSecurityContext":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100,"seccompProfile":{"type":"RuntimeDefault"}},"watchLabelKey":"ory.sh/watcher"}` | Sidecar watcher configuration |
 | watcher.mountFile | string | `""` | Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo |
 | watcher.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
 | watcher.podMetadata.annotations | object | `{}` | Extra pod level annotations |

diff --git a/helm/charts/hydra/values.yaml b/helm/charts/hydra/values.yaml
@@ -459,7 +459,17 @@ watcher:
   podSecurityContext: {}
 
   ## -- container securityContext for watcher deployment
-  securityContext: {}
+  securityContext:
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 100
+    allowPrivilegeEscalation: false
+    privileged: false
 
 ## -- Janitor cron job configuration
 janitor:

diff --git a/helm/charts/keto/README.md b/helm/charts/keto/README.md
@@ -1,6 +1,6 @@
 # keto
 
-![Version: 0.32.0](https://img.shields.io/badge/Version-0.32.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.11.0](https://img.shields.io/badge/AppVersion-v0.11.0-informational?style=flat-square)
+![Version: 0.33.0](https://img.shields.io/badge/Version-0.33.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.11.0](https://img.shields.io/badge/AppVersion-v0.11.0-informational?style=flat-square)
 
 Access Control Policies as a Server
 

diff --git a/helm/charts/kratos-selfservice-ui-node/README.md b/helm/charts/kratos-selfservice-ui-node/README.md
@@ -1,6 +1,6 @@
 # kratos-selfservice-ui-node
 
-![Version: 0.32.0](https://img.shields.io/badge/Version-0.32.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.10.1](https://img.shields.io/badge/AppVersion-v0.10.1-informational?style=flat-square)
+![Version: 0.33.0](https://img.shields.io/badge/Version-0.33.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.10.1](https://img.shields.io/badge/AppVersion-v0.10.1-informational?style=flat-square)
 
 A Helm chart for ORY Kratos's example ui for Kubernetes
 

diff --git a/helm/charts/kratos/README.md b/helm/charts/kratos/README.md
@@ -1,6 +1,6 @@
 # kratos
 
-![Version: 0.32.0](https://img.shields.io/badge/Version-0.32.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.13.0](https://img.shields.io/badge/AppVersion-v0.13.0-informational?style=flat-square)
+![Version: 0.33.0](https://img.shields.io/badge/Version-0.33.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.13.0](https://img.shields.io/badge/AppVersion-v0.13.0-informational?style=flat-square)
 
 A ORY Kratos Helm chart for Kubernetes
 

diff --git a/helm/charts/oathkeeper-maester/Chart.yaml b/helm/charts/oathkeeper-maester/Chart.yaml
@@ -1,6 +1,7 @@
 apiVersion: v1
 appVersion: "v0.1.8"
-description: A Helm chart for deploying ORY Oathkeeper Rule Controller in Kubernetes
+description:
+  A Helm chart for deploying ORY Oathkeeper Rule Controller in Kubernetes
 name: oathkeeper-maester
 icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-oathkeeper.svg
 version: 0.33.0

diff --git a/helm/charts/oathkeeper-maester/README.md b/helm/charts/oathkeeper-maester/README.md
@@ -1,6 +1,6 @@
 # oathkeeper-maester
 
-![Version: 0.32.0](https://img.shields.io/badge/Version-0.32.0-informational?style=flat-square) ![AppVersion: v0.1.8](https://img.shields.io/badge/AppVersion-v0.1.8-informational?style=flat-square)
+![Version: 0.33.0](https://img.shields.io/badge/Version-0.33.0-informational?style=flat-square) ![AppVersion: v0.1.8](https://img.shields.io/badge/AppVersion-v0.1.8-informational?style=flat-square)
 
 A Helm chart for deploying ORY Oathkeeper Rule Controller in Kubernetes
 

diff --git a/helm/charts/oathkeeper/README.md b/helm/charts/oathkeeper/README.md
@@ -1,6 +1,6 @@
 # oathkeeper
 
-![Version: 0.32.0](https://img.shields.io/badge/Version-0.32.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.40.3](https://img.shields.io/badge/AppVersion-v0.40.3-informational?style=flat-square)
+![Version: 0.33.0](https://img.shields.io/badge/Version-0.33.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.40.3](https://img.shields.io/badge/AppVersion-v0.40.3-informational?style=flat-square)
 
 A Helm chart for deploying ORY Oathkeeper in Kubernetes
 
@@ -21,7 +21,7 @@ A Helm chart for deploying ORY Oathkeeper in Kubernetes
 
 | Repository | Name | Version |
 |------------|------|---------|
-| file://../oathkeeper-maester | oathkeeper-maester(oathkeeper-maester) | 0.32.0 |
+| file://../oathkeeper-maester | oathkeeper-maester(oathkeeper-maester) | 0.33.0 |
 
 ## Values