Merge pull request #219 from catenax-ng/bugfix/fix-vulnerabilities

Bugfix/fix vulnerabilities
eclipse-tractusx · Jan 29, 2024 · d451261 · d451261
2 parents 566a999 + 7ab62d2
commit d451261
Show file tree

Hide file tree

Showing 5 changed files with 126 additions and 13 deletions.
diff --git a/charts/digital-product-pass/templates/deployment-backend.yaml b/charts/digital-product-pass/templates/deployment-backend.yaml
@@ -44,16 +44,13 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       securityContext:
-        runAsUser: 10000
-        fsGroup: 3000
+        {{- toYaml .Values.backend.podSecurityContext | nindent 8 }}
       containers:
         - name: {{ .Values.backend.name }}
           image: "{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.backend.image.pullPolicy }}
           securityContext:
-            allowPrivilegeEscalation: false
-            runAsUser: 10000
-            runAsGroup: 3000
+            {{- toYaml .Values.backend.securityContext | nindent 12 }}
           env:
             - name: "appId"
               valueFrom:
@@ -86,9 +83,16 @@ spec:
             - name: pvc-backend
               mountPath: /app/data/process
               subPath: data/process
-            - name: pvc-backend
+            - name: tmpfs
               mountPath: /app/log
               subPath: log
+            - name: tmpfs
+              mountPath: /tmp
+            - name: tmpfs
+              mountPath: /app/data/VaultConfig
+              subPath: VaultConfig/vault.token.yml
+            - name: tmpfs
+              mountPath: /app/tmp
           ports:
             - containerPort: 8888
               name: http
@@ -114,5 +118,7 @@ spec:
         - name: pvc-backend
           persistentVolumeClaim:
             claimName: pvc-data
+        - name: tmpfs
+          emptyDir: {}
 
 
diff --git a/charts/digital-product-pass/templates/deployment-frontend.yaml b/charts/digital-product-pass/templates/deployment-frontend.yaml
@@ -44,16 +44,13 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       securityContext:
-        runAsUser: 10000
-        fsGroup: 3000
+        {{- toYaml .Values.frontend.podSecurityContext | nindent 8 }}
       containers:
         - name: {{ .Values.frontend.name }}
           image: "{{ .Values.frontend.image.repository }}:{{ .Values.frontend.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.frontend.image.pullPolicy }}
-          securityContext: 
-            allowPrivilegeEscalation: false
-            runAsUser: 10000
-            runAsGroup: 3000
+          securityContext:
+            {{- toYaml .Values.frontend.securityContext | nindent 12 }}
           env:          
             {{- with (first .Values.frontend.ingress.hosts) }}
             - name: "SERVER_URL"
@@ -107,7 +104,6 @@ spec:
 
             - name: "VERSION"
               value: "{{ .Chart.AppVersion }}"
-
           ports:
             - containerPort: 8080
               name: http

diff --git a/charts/digital-product-pass/values.yaml b/charts/digital-product-pass/values.yaml
@@ -52,6 +52,37 @@ backend:
           - path: /
             pathType: Prefix
 
+  # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment
+  podSecurityContext:
+    seccompProfile:
+      # -- Restrict a Container's Syscalls with seccomp
+      type: RuntimeDefault
+    # -- Runs all processes within a pod with a special uid
+    runAsUser: 10000
+    # -- Processes within a pod will belong to this guid
+    runAsGroup: 3000
+    # -- The owner for volumes and any files created within volumes will belong to this guid
+    fsGroup: 3000
+
+  # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod
+  securityContext:
+    capabilities:
+      # -- Specifies which capabilities to drop to reduce syscall attack surface
+      drop:
+        - ALL
+      # -- Specifies which capabilities to add to issue specialized syscalls
+      add: []
+    # -- Whether the root filesystem is mounted in read-only mode
+    readOnlyRootFilesystem: true
+    # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID
+    allowPrivilegeEscalation: false
+    # -- Requires the container to run without root privileges
+    runAsNonRoot: true
+    # -- The container's process will run with the specified uid
+    runAsUser: 10000
+    # -- The owner for volumes and any files created within volumes will belong to this guid
+    runAsGroup: 3000
+
   # -- in this section we configure the values that are inserted as secrets in the backend
   edc:
     # -- the secret for assesing the edc management API
@@ -152,6 +183,37 @@ frontend:
   ingress:
     enabled: false
     hosts: []
+
+  # -- The [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) defines privilege and access control settings for a Pod within the deployment
+  podSecurityContext:
+    seccompProfile:
+      # -- Restrict a Container's Syscalls with seccomp
+      type: RuntimeDefault
+    # -- Runs all processes within a pod with a special uid
+    runAsUser: 10000
+    # -- Processes within a pod will belong to this guid
+    runAsGroup: 3000
+    # -- The owner for volumes and any files created within volumes will belong to this guid
+    fsGroup: 3000
+
+  # The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod
+  securityContext:
+    capabilities:
+      # -- Specifies which capabilities to drop to reduce syscall attack surface
+      drop:
+        - ALL
+      # -- Specifies which capabilities to add to issue specialized syscalls
+      add: []
+    # -- Whether the root filesystem is mounted in read-only mode
+    readOnlyRootFilesystem: false
+    # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID
+    allowPrivilegeEscalation: false
+    # -- Requires the container to run without root privileges
+    runAsNonRoot: true
+    # -- The container's process will run with the specified uid
+    runAsUser: 10000
+    # -- The owner for volumes and any files created within volumes will belong to this guid
+    runAsGroup: 3000
 
   # -- product passport UI configuration
 

diff --git a/deployment/infrastructure/edc-provider/data-service/templates/deployment.yaml b/deployment/infrastructure/edc-provider/data-service/templates/deployment.yaml
@@ -67,6 +67,12 @@ spec:
             - containerPort: {{ .Values.container.port }}
               protocol: TCP
               name: http
+          volumeMounts:
+          - mountPath: /tmp
+            name: tmp
+      volumes:
+        - emptyDir: {}
+          name: tmp
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/deployment/infrastructure/edc-provider/data-service/values.yaml b/deployment/infrastructure/edc-provider/data-service/values.yaml
@@ -34,6 +34,7 @@ image:
   pullPolicy: IfNotPresent
   # -- Overrides the image tag whose default is the chart appVersion
   tag: "0.0.1"
+  command: ""
   # -- Image pull secret to create to [obtain the container image from private registries](https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry)
 imagePullSecrets: []
 
@@ -52,6 +53,40 @@ service:
 container:
   port: 80
 
+livenessProbe: {}
+
+readinessProbe: {}
+
+# -- additional annotations for the pod
+podAnnotations: {}
+
+podSecurityContext:
+  seccompProfile:
+    # -- Restrict a Container's Syscalls with seccomp
+    type: RuntimeDefault
+  # -- Runs all processes within a pod with a special uid
+  runAsUser: 10001
+  # -- Processes within a pod will belong to this guid
+  runAsGroup: 10001
+  # -- The owner for volumes and any files created within volumes will belong to this guid
+  fsGroup: 10001
+# The [container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) defines privilege and access control settings for a Container within a pod
+securityContext:
+  capabilities:
+    # -- Specifies which capabilities to drop to reduce syscall attack surface
+    drop:
+      - ALL
+    # -- Specifies which capabilities to add to issue specialized syscalls
+    add: []
+  # -- Whether the root filesystem is mounted in read-only mode
+  readOnlyRootFilesystem: true
+  # -- Controls [Privilege Escalation](https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation) enabling setuid binaries changing the effective user ID
+  allowPrivilegeEscalation: false
+  # -- Requires the container to run without root privileges
+  runAsNonRoot: true
+  # -- The container's process will run with the specified uid
+  runAsUser: 10001
+
 ingress:
   enabled: true
   className: "nginx"
@@ -71,3 +106,11 @@ ingress:
     - secretName: tls-secret
       hosts:
         - materialpass.int.demo.catena-x.net
+
+
+
+nodeSelector: {}
+# [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to configure preferred nodes
+tolerations: []
+# [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) to configure which nodes the pods can be scheduled on
+affinity: {}