fix: set uid,gid,fsownerid to high value and fix securityContext issue (

#73) * fix: set uid,gid,fsownerid to high value and fix securityContext issue * set security context to true kubeval envocation
isindir · May 26, 2021 · 706ba50 · 706ba50
1 parent 0555df5
commit 706ba50
Show file tree

Hide file tree

Showing 8 changed files with 72 additions and 56 deletions.
diff --git a/chart/helm3/sops-secrets-operator/Chart.yaml b/chart/helm3/sops-secrets-operator/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-version: 0.8.2
+version: 0.8.3
 appVersion: 0.2.1
 type: application
 description: Helm chart deploys sops-secrets-operator

diff --git a/chart/helm3/sops-secrets-operator/Makefile b/chart/helm3/sops-secrets-operator/Makefile
@@ -38,5 +38,5 @@ lint: ## runs helm chart linting
 	@echo '--------------------'
 
 validate: ## validates rendered chart templates using 'kubeval'
-	helm template . | kubeval --ignore-missing-schemas --force-color -
+	helm template . --set securityContextenabled=true | kubeval --ignore-missing-schemas --force-color -
 	@echo '--------------------'
diff --git a/chart/helm3/sops-secrets-operator/README.md b/chart/helm3/sops-secrets-operator/README.md
@@ -147,11 +147,10 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | resources | object | `{}` | Operator container resources |
 | secretsAsEnvVars | list | `[]` | configure custom secrets to be used as environment variables at runtime, see values.yaml |
 | secretsAsFiles | list | `[]` | configure custom secrets to be mounted at runtime, see values.yaml |
-| securityContext.allowPrivilegeEscalation | bool | `false` | allow Privilege escalation |
 | securityContext.enabled | bool | `false` | Enable securityContext |
-| securityContext.fsGroup | int | `1000` | fs group |
-| securityContext.runAsGroup | int | `3000` | GID to run as |
-| securityContext.runAsUser | int | `1000` | UID to run as |
+| securityContext.fsGroup | int | `13001` | fs group |
+| securityContext.runAsGroup | int | `13001` | GID to run as |
+| securityContext.runAsUser | int | `13001` | UID to run as |
 | serviceAccount.annotations | object | `{}` | Annotations to be added to the service account |
 | tolerations | list | `[]` | Tolerations to be applied to operator pod |
 

diff --git a/chart/helm3/sops-secrets-operator/templates/operator.yaml b/chart/helm3/sops-secrets-operator/templates/operator.yaml
@@ -175,7 +175,6 @@ spec:
         runAsUser: {{ .Values.securityContext.runAsUser }}
         runAsGroup: {{ .Values.securityContext.runAsGroup }}
         fsGroup: {{ .Values.securityContext.fsGroup }}
-        allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation }}
       {{- end }}
       {{- with .Values.affinity }}
       affinity:

diff --git a/chart/helm3/sops-secrets-operator/tests/operator_test.yaml b/chart/helm3/sops-secrets-operator/tests/operator_test.yaml
@@ -31,7 +31,7 @@ tests:
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: sops-secrets-operator
             app.kubernetes.io/version: 0.2.1
-            helm.sh/chart: sops-secrets-operator-0.8.2
+            helm.sh/chart: sops-secrets-operator-0.8.3
 
   # template metadata and spec selector
   - it: should correctly render template metadata and spec selector

diff --git a/chart/helm3/sops-secrets-operator/values.yaml b/chart/helm3/sops-secrets-operator/values.yaml
@@ -137,13 +137,11 @@ securityContext:
   # -- Enable securityContext
   enabled: false
   # -- UID to run as
-  runAsUser: 1000
+  runAsUser: 13001
   # -- GID to run as
-  runAsGroup: 3000
+  runAsGroup: 13001
   # -- fs group
-  fsGroup: 1000
-  # -- allow Privilege escalation
-  allowPrivilegeEscalation: false
+  fsGroup: 13001
 
 # -- Tolerations to be applied to operator pod
 tolerations: []