From d95454159447fa80dc2d741871cf4985030f6f53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20B=C5=82aszczyk?= Date: Thu, 11 May 2023 11:07:32 +0200 Subject: [PATCH] chore: update hydra secContext (#606) --- hacks/values/hydra.yaml | 6 +++--- helm/charts/example-idp/Chart.yaml | 4 +++- helm/charts/example-idp/README.md | 2 +- helm/charts/hydra-maester/README.md | 2 +- helm/charts/hydra/README.md | 6 +++--- helm/charts/hydra/values.yaml | 12 +++++++++++- helm/charts/keto/README.md | 2 +- helm/charts/kratos-selfservice-ui-node/README.md | 2 +- helm/charts/kratos/README.md | 2 +- helm/charts/oathkeeper-maester/Chart.yaml | 3 ++- helm/charts/oathkeeper-maester/README.md | 2 +- helm/charts/oathkeeper/README.md | 4 ++-- 12 files changed, 30 insertions(+), 17 deletions(-) diff --git a/hacks/values/hydra.yaml b/hacks/values/hydra.yaml index 120d090a36..e5772e443b 100644 --- a/hacks/values/hydra.yaml +++ b/hacks/values/hydra.yaml @@ -38,7 +38,7 @@ janitor: drop: - ALL podSecurityContext: - runAsNonRoot: false + runAsNonRoot: true deployment: autoscaling: @@ -124,7 +124,7 @@ watcher: drop: - ALL podSecurityContext: - runAsNonRoot: false + runAsNonRoot: true serviceMonitor: labels: @@ -144,7 +144,7 @@ cronjob: annotations: ory.sh/pod_annotation: hydra podSecurityContext: - runAsNonRoot: false + runAsNonRoot: true test: labels: diff --git a/helm/charts/example-idp/Chart.yaml b/helm/charts/example-idp/Chart.yaml index e2a6aefa81..68775d5a57 100644 --- a/helm/charts/example-idp/Chart.yaml +++ b/helm/charts/example-idp/Chart.yaml @@ -1,6 +1,8 @@ apiVersion: v2 appVersion: "1.4.6" -description: A Helm chart for deploying the reference implementation for the User Login and Consent Flow in Kubernetes +description: + A Helm chart for deploying the reference implementation for the User Login and + Consent Flow in Kubernetes name: example-idp version: 0.33.0 type: application diff --git a/helm/charts/example-idp/README.md b/helm/charts/example-idp/README.md index 769f0d6a71..29e88e7327 100644 --- a/helm/charts/example-idp/README.md +++ b/helm/charts/example-idp/README.md @@ -1,6 +1,6 @@ # example-idp -![Version: 0.32.0](https://img.shields.io/badge/Version-0.32.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.4.6](https://img.shields.io/badge/AppVersion-1.4.6-informational?style=flat-square) +![Version: 0.33.0](https://img.shields.io/badge/Version-0.33.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.4.6](https://img.shields.io/badge/AppVersion-1.4.6-informational?style=flat-square) A Helm chart for deploying the reference implementation for the User Login and Consent Flow in Kubernetes diff --git a/helm/charts/hydra-maester/README.md b/helm/charts/hydra-maester/README.md index fe3731beb9..838ca01b42 100644 --- a/helm/charts/hydra-maester/README.md +++ b/helm/charts/hydra-maester/README.md @@ -1,6 +1,6 @@ # hydra-maester -![Version: 0.32.0](https://img.shields.io/badge/Version-0.32.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.23](https://img.shields.io/badge/AppVersion-v0.0.23-informational?style=flat-square) +![Version: 0.33.0](https://img.shields.io/badge/Version-0.33.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.23](https://img.shields.io/badge/AppVersion-v0.0.23-informational?style=flat-square) A Helm chart for Kubernetes diff --git a/helm/charts/hydra/README.md b/helm/charts/hydra/README.md index 502d4774f1..9e6cb7fb41 100644 --- a/helm/charts/hydra/README.md +++ b/helm/charts/hydra/README.md @@ -1,6 +1,6 @@ # hydra -![Version: 0.32.0](https://img.shields.io/badge/Version-0.32.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.1.1](https://img.shields.io/badge/AppVersion-v2.1.1-informational?style=flat-square) +![Version: 0.33.0](https://img.shields.io/badge/Version-0.33.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.1.1](https://img.shields.io/badge/AppVersion-v2.1.1-informational?style=flat-square) A Helm chart for deploying ORY Hydra in Kubernetes @@ -21,7 +21,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes | Repository | Name | Version | |------------|------|---------| -| file://../hydra-maester | hydra-maester(hydra-maester) | 0.32.0 | +| file://../hydra-maester | hydra-maester(hydra-maester) | 0.33.0 | ## Values @@ -161,7 +161,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes | serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint | | test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository | | test.labels | object | `{}` | Provide additional labels to the test pod | -| watcher | object | `{"enabled":false,"image":"oryd/k8s-toolbox:0.0.5","mountFile":"","podMetadata":{"annotations":{},"labels":{}},"podSecurityContext":{},"securityContext":{},"watchLabelKey":"ory.sh/watcher"}` | Sidecar watcher configuration | +| watcher | object | `{"enabled":false,"image":"oryd/k8s-toolbox:0.0.5","mountFile":"","podMetadata":{"annotations":{},"labels":{}},"podSecurityContext":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100,"seccompProfile":{"type":"RuntimeDefault"}},"watchLabelKey":"ory.sh/watcher"}` | Sidecar watcher configuration | | watcher.mountFile | string | `""` | Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo | | watcher.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects | | watcher.podMetadata.annotations | object | `{}` | Extra pod level annotations | diff --git a/helm/charts/hydra/values.yaml b/helm/charts/hydra/values.yaml index cd1719b950..cff79a5ffb 100644 --- a/helm/charts/hydra/values.yaml +++ b/helm/charts/hydra/values.yaml @@ -459,7 +459,17 @@ watcher: podSecurityContext: {} ## -- container securityContext for watcher deployment - securityContext: {} + securityContext: + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 + allowPrivilegeEscalation: false + privileged: false ## -- Janitor cron job configuration janitor: diff --git a/helm/charts/keto/README.md b/helm/charts/keto/README.md index b83528e6d1..1edcfbc8e9 100644 --- a/helm/charts/keto/README.md +++ b/helm/charts/keto/README.md @@ -1,6 +1,6 @@ # keto -![Version: 0.32.0](https://img.shields.io/badge/Version-0.32.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.11.0](https://img.shields.io/badge/AppVersion-v0.11.0-informational?style=flat-square) +![Version: 0.33.0](https://img.shields.io/badge/Version-0.33.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.11.0](https://img.shields.io/badge/AppVersion-v0.11.0-informational?style=flat-square) Access Control Policies as a Server diff --git a/helm/charts/kratos-selfservice-ui-node/README.md b/helm/charts/kratos-selfservice-ui-node/README.md index e2f8704d4a..07cc0788e0 100644 --- a/helm/charts/kratos-selfservice-ui-node/README.md +++ b/helm/charts/kratos-selfservice-ui-node/README.md @@ -1,6 +1,6 @@ # kratos-selfservice-ui-node -![Version: 0.32.0](https://img.shields.io/badge/Version-0.32.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.10.1](https://img.shields.io/badge/AppVersion-v0.10.1-informational?style=flat-square) +![Version: 0.33.0](https://img.shields.io/badge/Version-0.33.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.10.1](https://img.shields.io/badge/AppVersion-v0.10.1-informational?style=flat-square) A Helm chart for ORY Kratos's example ui for Kubernetes diff --git a/helm/charts/kratos/README.md b/helm/charts/kratos/README.md index 1ecf4cac54..bf20b674c1 100644 --- a/helm/charts/kratos/README.md +++ b/helm/charts/kratos/README.md @@ -1,6 +1,6 @@ # kratos -![Version: 0.32.0](https://img.shields.io/badge/Version-0.32.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.13.0](https://img.shields.io/badge/AppVersion-v0.13.0-informational?style=flat-square) +![Version: 0.33.0](https://img.shields.io/badge/Version-0.33.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.13.0](https://img.shields.io/badge/AppVersion-v0.13.0-informational?style=flat-square) A ORY Kratos Helm chart for Kubernetes diff --git a/helm/charts/oathkeeper-maester/Chart.yaml b/helm/charts/oathkeeper-maester/Chart.yaml index c9669d5bf6..80272f0b19 100644 --- a/helm/charts/oathkeeper-maester/Chart.yaml +++ b/helm/charts/oathkeeper-maester/Chart.yaml @@ -1,6 +1,7 @@ apiVersion: v1 appVersion: "v0.1.8" -description: A Helm chart for deploying ORY Oathkeeper Rule Controller in Kubernetes +description: + A Helm chart for deploying ORY Oathkeeper Rule Controller in Kubernetes name: oathkeeper-maester icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-oathkeeper.svg version: 0.33.0 diff --git a/helm/charts/oathkeeper-maester/README.md b/helm/charts/oathkeeper-maester/README.md index 5bbc7e0dab..9f94aa2458 100644 --- a/helm/charts/oathkeeper-maester/README.md +++ b/helm/charts/oathkeeper-maester/README.md @@ -1,6 +1,6 @@ # oathkeeper-maester -![Version: 0.32.0](https://img.shields.io/badge/Version-0.32.0-informational?style=flat-square) ![AppVersion: v0.1.8](https://img.shields.io/badge/AppVersion-v0.1.8-informational?style=flat-square) +![Version: 0.33.0](https://img.shields.io/badge/Version-0.33.0-informational?style=flat-square) ![AppVersion: v0.1.8](https://img.shields.io/badge/AppVersion-v0.1.8-informational?style=flat-square) A Helm chart for deploying ORY Oathkeeper Rule Controller in Kubernetes diff --git a/helm/charts/oathkeeper/README.md b/helm/charts/oathkeeper/README.md index c25b5fbd71..9a342e91a0 100644 --- a/helm/charts/oathkeeper/README.md +++ b/helm/charts/oathkeeper/README.md @@ -1,6 +1,6 @@ # oathkeeper -![Version: 0.32.0](https://img.shields.io/badge/Version-0.32.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.40.3](https://img.shields.io/badge/AppVersion-v0.40.3-informational?style=flat-square) +![Version: 0.33.0](https://img.shields.io/badge/Version-0.33.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.40.3](https://img.shields.io/badge/AppVersion-v0.40.3-informational?style=flat-square) A Helm chart for deploying ORY Oathkeeper in Kubernetes @@ -21,7 +21,7 @@ A Helm chart for deploying ORY Oathkeeper in Kubernetes | Repository | Name | Version | |------------|------|---------| -| file://../oathkeeper-maester | oathkeeper-maester(oathkeeper-maester) | 0.32.0 | +| file://../oathkeeper-maester | oathkeeper-maester(oathkeeper-maester) | 0.33.0 | ## Values