add securityContext example for Restricted pod-security policies

charts/tsm-node/Chart.yaml

@@ -5,5 +5,5 @@ maintainers:
   - name: Blockdaemon
     email: [email protected]
 type: application
-version: 0.1.1
+version: 0.1.2
 appVersion: "61.0.2"

charts/tsm-node/README.md

@@ -1,6 +1,6 @@
 # tsm-node
 
-![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 61.0.2](https://img.shields.io/badge/AppVersion-61.0.2-informational?style=flat-square)
+![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 61.0.2](https://img.shields.io/badge/AppVersion-61.0.2-informational?style=flat-square)
 
 A Helm chart to deploy a Blockdaemon TSM node to kubernetes
 
@@ -48,5 +48,3 @@ A Helm chart to deploy a Blockdaemon TSM node to kubernetes
 | volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition. |
 | volumes | list | `[]` | Additional volumes on the output Deployment definition. |
 
-----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)

charts/tsm-node/ci/securityContext-values.yaml

@@ -0,0 +1,46 @@
+replicaCount: 1
+index: 0
+
+config:
+  configFile: |
+    [Player]
+      Index = 0
+      PrivateKey = "replace me"
+
+    [Database]
+      DriverName = "sqlite3"
+      DataSourceName = "/tmp/tsmdb"
+      EncryptorMasterPassword = "ENCRYPTION_KEY"
+
+    [SDKServer]
+      Port = 8080
+image:
+  repository: <the name of the repository where tsm-node is stored>
+  pullPolicy: IfNotPresent
+  tag: "61.0.2"
+sdkService:
+  type: NodePort
+  ports:
+    - port: 8080
+      name: sdk
+      targetPort: 8080
+    - port: 9000
+      name: mpc
+      targetPort: 9000
+
+mpcService:
+  enabled: false
+
+ingress:
+  enabled: false
+
+securityContext:
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 2000
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: "RuntimeDefault"

charts/tsm-node/values.yaml

@@ -47,7 +47,10 @@ securityContext:
   #   - ALL
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
-  # runAsUser: 1000
+  # runAsUser: 2000
+  # allowPrivilegeEscalation: false
+  # seccompProfile:
+  #   type: "RuntimeDefault"
 
 # -- The primary service definition for the TSM node
 sdkService:

examples/tsm-node-multiinstance/tsm0.yaml

@@ -132,3 +132,14 @@ affinity:
 resources:
   requests:
     cpu: 14
+
+securityContext:
+  capabilities:
+   drop:
+   - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 2000
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: "RuntimeDefault"

examples/tsm-node-multiinstance/tsm1.yaml

@@ -132,3 +132,14 @@ affinity:
 resources:
   requests:
     cpu: 14
+
+securityContext:
+  capabilities:
+   drop:
+   - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 2000
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: "RuntimeDefault"

examples/tsm-node-multiinstance/tsm2.yaml

@@ -133,3 +133,14 @@ affinity:
 resources:
   requests:
     cpu: 14
+
+securityContext:
+  capabilities:
+   drop:
+   - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 2000
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: "RuntimeDefault"