From 8fd027f23e2f49ea395faec2674f30f18433adbc Mon Sep 17 00:00:00 2001
From: nimalank7 <nimalan.kirubakaran@digital.cabinet-office.gov.uk>
Date: Wed, 25 Sep 2024 20:13:32 +0100
Subject: [PATCH] Update init containers to be PSS compliant

Description:
- Enforce initContainers to be compliant when PSS is set to restricted
- As part of https://github.com/alphagov/govuk-helm-charts/issues/1883
---
 .../templates/assets-upload-job.yaml                |  9 ++++++---
 charts/generic-govuk-app/templates/deployment.yaml  | 13 +++++++++++--
 charts/generic-govuk-app/values.yaml                |  3 +++
 .../templates/govuk-mirror-sync-cronjob.yaml        |  9 +++++++--
 charts/govuk-jobs/values.yaml                       |  2 +-
 5 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/charts/generic-govuk-app/templates/assets-upload-job.yaml b/charts/generic-govuk-app/templates/assets-upload-job.yaml
index 592898239c9..277bce2f267 100644
--- a/charts/generic-govuk-app/templates/assets-upload-job.yaml
+++ b/charts/generic-govuk-app/templates/assets-upload-job.yaml
@@ -45,10 +45,13 @@ spec:
             - name: assets-to-upload
               mountPath: /assets-to-upload
           securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: { { .Values.securityContext.allowPrivilegeEscalation | default "false" } }
+            runAsNonRoot: { { .Values.securityContext.runAsNonRoot | default "true" } }
+            readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default "true" }}
+            seccompProfile:
+              type: RuntimeDefault
             capabilities:
-              drop: ["ALL"]
+              drop: {{ .Values.securityContext.capabilities.drop }}
       containers:
         - name: upload-assets
           image: 172025368201.dkr.ecr.eu-west-1.amazonaws.com/github/alphagov/govuk/toolbox:latest
diff --git a/charts/generic-govuk-app/templates/deployment.yaml b/charts/generic-govuk-app/templates/deployment.yaml
index 9391db39ab4..1043518ad3f 100644
--- a/charts/generic-govuk-app/templates/deployment.yaml
+++ b/charts/generic-govuk-app/templates/deployment.yaml
@@ -63,6 +63,15 @@ spec:
           volumeMounts:
             - name: assets
               mountPath: /assets
+          securityContext:
+            allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default "false" }}
+            runAsNonRoot: {{ .Values.securityContext.runAsNonRoot | default "true" }}
+            readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default "true" }}
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop: {{ .Values.securityContext.capabilities.drop }}
+
       {{- end }}
       containers:
         - name: app
@@ -127,9 +136,9 @@ spec:
           {{- end }}
           securityContext:
             allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation }}
-            readOnlyRootFilesystem: true
+            readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFileSystem }}
             capabilities:
-              drop: ["ALL"]
+              drop: {{ .Values.securityContext.capabilities.drop }}
           volumeMounts:
             - name: app-tmp
               mountPath: /tmp
diff --git a/charts/generic-govuk-app/values.yaml b/charts/generic-govuk-app/values.yaml
index 43326e49531..f1fbcd377ec 100644
--- a/charts/generic-govuk-app/values.yaml
+++ b/charts/generic-govuk-app/values.yaml
@@ -157,6 +157,9 @@ securityContext:
   allowPrivilegeEscalation: false
   runAsUser: 1001
   runAsGroup: 1001
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop: [ "ALL" ]
 
 sentry:
   enabled: true
diff --git a/charts/govuk-jobs/templates/govuk-mirror-sync-cronjob.yaml b/charts/govuk-jobs/templates/govuk-mirror-sync-cronjob.yaml
index f4edcbe6cdc..80bd1b4b126 100644
--- a/charts/govuk-jobs/templates/govuk-mirror-sync-cronjob.yaml
+++ b/charts/govuk-jobs/templates/govuk-mirror-sync-cronjob.yaml
@@ -50,8 +50,13 @@ spec:
                   cpu: 2
                   memory: 15000Mi
               securityContext:
-                allowPrivilegeEscalation: false
-                readOnlyRootFilesystem: true
+                allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default "false" }}
+                runAsNonRoot: {{ .Values.securityContext.runAsNonRoot | default "true" }}
+                readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default "true" }}
+                seccompProfile:
+                  type: RuntimeDefault
+                capabilities:
+                  drop: {{ .Values.securityContext.capabilities.drop }}
               volumeMounts:
                 - name: app-mirror-sync
                   mountPath: /data
diff --git a/charts/govuk-jobs/values.yaml b/charts/govuk-jobs/values.yaml
index d6213170c9c..ef5560141e0 100644
--- a/charts/govuk-jobs/values.yaml
+++ b/charts/govuk-jobs/values.yaml
@@ -11,7 +11,7 @@ podSecurityContext:
 securityContext:
   allowPrivilegeEscalation: false
   capabilities:
-    drop: [ALL]
+    drop: ["ALL"]
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 1001