NethermindEth · mark-liu · Jan 23, 2024 · Jan 23, 2024 · Jan 23, 2024 · Jan 23, 2024
diff --git a/charts/dirk/templates/statefulset.yaml b/charts/dirk/templates/statefulset.yaml
@@ -20,6 +20,7 @@ spec:
       labels:
         {{- include "common.labels.matchLabels" . | nindent 8 }}
     spec:
+      automountServiceAccountToken: false
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -84,6 +85,7 @@ spec:
             runAsUser: {{ .Values.global.securityContext.runAsUser | default 10000 }}
             fsGroup: {{ .Values.global.securityContext.fsGroup | default 10000 }}
             readOnlyRootFilesystem: {{ .Values.global.securityContext.readOnlyRootFilesystem | default true }}
+            allowPrivilegeEscalation: {{ .Values.global.securityContext.allowPrivilegeEscalation | default false }}
             capabilities:
               drop:
                 - ALL
@@ -115,6 +117,7 @@ spec:
             runAsUser: {{ .Values.global.securityContext.runAsUser | default 10000 }}
             fsGroup: {{ .Values.global.securityContext.fsGroup | default 10000 }}
             readOnlyRootFilesystem: {{ .Values.global.securityContext.readOnlyRootFilesystem | default true }}
+            allowPrivilegeEscalation: {{ .Values.global.securityContext.allowPrivilegeEscalation | default false }}
             capabilities:
               drop:
                 - ALL
@@ -166,6 +169,7 @@ spec:
             runAsUser: {{ .Values.global.securityContext.runAsUser | default 10000 }}
             fsGroup: {{ .Values.global.securityContext.fsGroup | default 10000 }}
             readOnlyRootFilesystem: {{ .Values.global.securityContext.readOnlyRootFilesystem | default true }}
+            allowPrivilegeEscalation: {{ .Values.global.securityContext.allowPrivilegeEscalation | default false }}
             capabilities:
               drop:
                 - ALL

diff --git a/charts/dirk/values.yaml b/charts/dirk/values.yaml
@@ -120,6 +120,7 @@ securityContext: {}
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
   # runAsUser: 1000
+  # allowPrivilegeEscalation: false
 
 service:
   type: ClusterIP

diff --git a/charts/execution-beacon/templates/statefulset.yaml b/charts/execution-beacon/templates/statefulset.yaml
@@ -21,6 +21,7 @@ spec:
       annotations:
         checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
     spec:
+      automountServiceAccountToken: false
     {{- with (concat .Values.global.imagePullSecrets .Values.global.imagePullSecrets) }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -115,12 +116,7 @@ spec:
           image: "{{ (pluck .Values.execution.client .Values.global.image.execution | first ).repository }}:{{ (pluck .Values.execution.client .Values.global.image.execution | first ).tag }}"
           imagePullPolicy: {{ .Values.global.image.imagePullPolicy }}
           securityContext:
-            readOnlyRootFilesystem: false
-            runAsNonRoot: true
-            runAsUser: 10000
-            capabilities:
-              drop:
-              - ALL
+            {{- toYaml .Values.global.securityContext | nindent 12 }}
           {{- if .Values.global.externalSecrets.enabled }}
           envFrom:
             - secretRef:
@@ -377,12 +373,7 @@ spec:
           image: "{{ (pluck .Values.beacon.client .Values.global.image.beacon | first ).repository }}:{{ (pluck .Values.beacon.client .Values.global.image.beacon | first ).tag }}"
           imagePullPolicy: {{ .Values.global.image.imagePullPolicy }}
           securityContext:
-            readOnlyRootFilesystem: false
-            runAsNonRoot: true
-            runAsUser: 10000
-            capabilities:
-              drop:
-              - ALL
+            {{- toYaml .Values.global.securityContext | nindent 12 }}
           {{/* Configuration for Prysm beacon client */}}
           {{- if eq .Values.beacon.client "prysm" }}
           args: 

diff --git a/charts/execution-beacon/values.yaml b/charts/execution-beacon/values.yaml
@@ -251,6 +251,7 @@ global:
     readOnlyRootFilesystem: true
     runAsNonRoot: true
     runAsUser: 10000
+    allowPrivilegeEscalation: false
     capabilities:
       drop:
       - ALL

diff --git a/charts/lodestar/values.yaml b/charts/lodestar/values.yaml
@@ -40,18 +40,22 @@ serviceAccount:
 
 podAnnotations: {}
 
+## Pod Security Context
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+##
 podSecurityContext:
-  {}
-  # fsGroup: 2000
-
+  runAsNonRoot: true
+  runAsUser: 10000
+  fsGroup: 10000
+
 securityContext:
-  {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 10000
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
 
 service:
   type: ClusterIP

diff --git a/charts/mev-boost/templates/deployment.yaml b/charts/mev-boost/templates/deployment.yaml
@@ -20,6 +20,7 @@ spec:
       labels:
         {{- include "common.labels.matchLabels" . | nindent 8 }}
     spec:
+      automountServiceAccountToken: false
       {{- with (concat .Values.imagePullSecrets .Values.global.imagePullSecrets) }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/mev-boost/values.yaml b/charts/mev-boost/values.yaml
@@ -25,6 +25,7 @@ global:
     readOnlyRootFilesystem: true
     runAsNonRoot: true
     runAsUser: 10000
+    allowPrivilegeEscalation: false
     capabilities:
       drop:
       - ALL

diff --git a/charts/posmoni/templates/statefulset.yaml b/charts/posmoni/templates/statefulset.yaml
@@ -19,6 +19,7 @@ spec:
       labels:
         {{- include "common.labels.matchLabels" . | nindent 8 }}
     spec:
+      automountServiceAccountToken: false
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/posmoni/values.yaml b/charts/posmoni/values.yaml
@@ -36,15 +36,19 @@ podAnnotations: {}
 ## Pod Security Context
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 ##
-podSecurityContext: {}
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 10000
+  fsGroup: 10000
 
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+securityContext:
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 10000
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
 
 service:
   type: ClusterIP

diff --git a/charts/validator-ejector/templates/statefulset.yaml b/charts/validator-ejector/templates/statefulset.yaml
@@ -19,6 +19,7 @@ spec:
       labels:
         {{- include "common.labels.matchLabels" . | nindent 8 }}
     spec:
+      automountServiceAccountToken: false
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -37,14 +38,13 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "ejector.serviceAccountName" . }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.global.podSecurityContext | nindent 8 }}
       containers:
         - name: loader
           image: "{{ .Values.global.loader.repository }}:{{ .Values.global.loader.tag }}"
           imagePullPolicy: {{ .Values.global.loader.pullPolicy }}
           securityContext:
-            runAsNonRoot: false
-            runAsUser: 0
+            {{- toYaml .Values.global.securityContext | nindent 12 }}
           env:
             - name: EIP2335_PASSWORD
               valueFrom:
@@ -107,7 +107,7 @@ spec:
 #              mountPath: /data
         - name: {{ .Chart.Name }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- toYaml .Values.global.securityContext | nindent 12 }}
           image: "{{ .Values.global.image.repository }}:{{ .Values.global.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           env:

diff --git a/charts/validator-ejector/values.yaml b/charts/validator-ejector/values.yaml
@@ -118,13 +118,22 @@ persistence:
   size: 5Gi
   annotations: {}
 
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+## Pod Security Context
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+##
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 10000
+  fsGroup: 10000
+
+securityContext:
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 10000
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
 
 service:
   type: ClusterIP

diff --git a/charts/validator-kapi/templates/statefulset.yaml b/charts/validator-kapi/templates/statefulset.yaml
@@ -19,6 +19,7 @@ spec:
       labels:
         {{- include "common.labels.matchLabels" . | nindent 8 }}
     spec:
+      automountServiceAccountToken: false
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -37,11 +38,11 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "kapi.serviceAccountName" . }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.global.podSecurityContext | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- toYaml .Values.global.securityContext | nindent 12 }}
           image: "{{ .Values.global.image.repository }}:{{ .Values.global.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.global.image.pullPolicy }}
           env:

diff --git a/charts/validator-kapi/values.yaml b/charts/validator-kapi/values.yaml
@@ -38,6 +38,23 @@ global:
     pullPolicy: IfNotPresent
     tag: "0.10.1"
 
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 10000
+    fsGroup: 10000
+
+  securityContext:
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 10000
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+
 kapi:
   env: "production"
   # Application port
@@ -95,6 +112,7 @@ securityContext: {}
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
   # runAsUser: 1000
+  # allowPrivilegeEscalation: false
 
 service:
   type: ClusterIP

diff --git a/charts/validators/templates/statefulset.yaml b/charts/validators/templates/statefulset.yaml
@@ -45,6 +45,7 @@ spec:
       annotations:
         checksum/configmap: {{ include (print $root.Template.BasePath "/configmap.yaml") $root | sha256sum }}
     spec:
+      automountServiceAccountToken: false
       {{- with (concat $root.Values.imagePullSecrets $root.Values.global.imagePullSecrets) }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -164,12 +165,7 @@ spec:
           image: "{{ (pluck $root.Values.type $root.Values.image | first ).repository }}:{{ (pluck $root.Values.type $root.Values.image | first ).tag }}"
           imagePullPolicy: {{ $root.Values.image.pullPolicy }}
           securityContext:
-            readOnlyRootFilesystem: false
-            runAsNonRoot: true
-            runAsUser: 10000
-            capabilities:
-              drop:
-              - ALL
+            {{- toYaml $root.Values.global.securityContext | nindent 12 }}
           {{- if eq $root.Values.type "lodestar" }}
           command:
             - sh

diff --git a/charts/validators/values.yaml b/charts/validators/values.yaml
@@ -19,6 +19,7 @@ global:
     readOnlyRootFilesystem: true
     runAsNonRoot: true
     runAsUser: 10000
+    allowPrivilegeEscalation: false
     capabilities:
       drop:
       - ALL

diff --git a/charts/vouch/templates/statefulset.yaml b/charts/vouch/templates/statefulset.yaml
@@ -20,6 +20,7 @@ spec:
       labels:
         {{- include "common.labels.matchLabels" . | nindent 8 }}
     spec:
+      automountServiceAccountToken: false
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -74,6 +75,7 @@ spec:
             runAsUser: {{ .Values.global.securityContext.runAsUser | default 10000 }}
             fsGroup: {{ .Values.global.securityContext.fsGroup | default 10000 }}
             readOnlyRootFilesystem: {{ .Values.global.securityContext.readOnlyRootFilesystem | default true }}
+            allowPrivilegeEscalation: {{ .Values.global.securityContext.allowPrivilegeEscalation | default false }}
             capabilities:
               drop:
                 - ALL
@@ -104,6 +106,7 @@ spec:
             runAsUser: {{ .Values.global.securityContext.runAsUser | default 10000 }}
             fsGroup: {{ .Values.global.securityContext.fsGroup | default 10000 }}
             readOnlyRootFilesystem: {{ .Values.global.securityContext.readOnlyRootFilesystem | default true }}
+            allowPrivilegeEscalation: {{ .Values.global.securityContext.allowPrivilegeEscalation | default false }}
             capabilities:
               drop:
                 - ALL

diff --git a/charts/vouch/values.yaml b/charts/vouch/values.yaml
@@ -140,6 +140,7 @@ securityContext: {}
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
   # runAsUser: 1000
+  # allowPrivilegeEscalation: false
 
 service:
   type: ClusterIP

diff --git a/charts/web3signer/templates/statefulset.yaml b/charts/web3signer/templates/statefulset.yaml
@@ -19,6 +19,7 @@ spec:
       labels:
         {{- include "common.labels.matchLabels" . | nindent 8 }}
     spec:
+      automountServiceAccountToken: false
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -87,12 +88,7 @@ spec:
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
-            readOnlyRootFilesystem: false
-            runAsNonRoot: true
-            runAsUser: 10000
-            capabilities:
-              drop:
-              - ALL
+            {{- toYaml .Values.global.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:

diff --git a/charts/web3signer/values.yaml b/charts/web3signer/values.yaml
@@ -18,6 +18,7 @@ global:
     readOnlyRootFilesystem: true
     runAsNonRoot: true
     runAsUser: 10000
+    allowPrivilegeEscalation: false
     capabilities:
       drop:
       - ALL