added some security basic rules

Signed-off-by: Sylvain Hellegouarch <[email protected]>

CHANGELOG.md

@@ -1,12 +1,13 @@
 # Changelog
-All notable changes to this project will be documented in this file.
 
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased][]
 
-[Unreleased]: https://github.com/chaostoolkit-incubator/kubernetes-crd/compare/0.7.0...HEAD
+[Unreleased]: https://github.com/chaostoolkit-incubator/kubernetes-crd/compare/0.8.0...HEAD
+
+## [0.8.0][] - 2024-03-25
+
+[0.8.0]: https://github.com/chaostoolkit-incubator/kubernetes-crd/compare/0.7.0...0.8.0
 
 ### Changed
 
@@ -15,6 +16,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * Removed Pod Security Policy support since they have been deprecated some time
   ago now
 * Switched base image of the container to `ubuntu`
+* Added a security context block to the deployment of the crd and the
+  chaostoolkit pods
+* Added a topology spread constraint block to the deployment of the crd and the
+  chaostoolkit pods
 
 ## [0.7.0][] - 2022-03-09
 

manifests/base/common/configmap.yaml

@@ -72,9 +72,17 @@ data:
       name: chaostoolkit
       labels:
         app: chaostoolkit
+        app.kubernetes.io/name: chaostoolkit
     spec:
       restartPolicy: Never
       serviceAccountName: chaostoolkit
+      topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: topology.kubernetes.io/zone
+        whenUnsatisfiable: ScheduleAnyway
+        labelSelector:
+          matchLabels:
+            app.kubernetes.io/name: chaostoolkit
       containers:
       - name: chaostoolkit
         image: chaostoolkit/chaostoolkit
@@ -107,6 +115,10 @@ data:
           mountPath: /home/svc/experiment.json
           subPath: experiment.json
           readOnly: true
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: false
+          runAsNonRoot: true
       volumes:
       - name: chaostoolkit-settings
         secret:

manifests/base/common/deployment.yaml

@@ -7,16 +7,28 @@ spec:
   replicas: 1
   selector:
     matchLabels:
-      app: chaostoolkit
+      app.kubernetes.io/name: chaostoolkit
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+      maxSurge: 1
   template:
     metadata:
       labels:
         app: chaostoolkit
     spec:
       serviceAccountName: chaostoolkit-crd
+      topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: topology.kubernetes.io/zone
+        whenUnsatisfiable: ScheduleAnyway
+        labelSelector:
+          matchLabels:
+            app.kubernetes.io/name: chaostoolkit
       containers:
       - name: crd
-        image: lawouach/k8scrd:latest
+        image: chaostoolkit/k8scrd:latest
         imagePullPolicy: Always
         command:
         - kopf
@@ -28,8 +40,13 @@ spec:
         - controller.py
         resources:
           requests:
-            memory: "64Mi"
+            memory: "128Mi"
             cpu: "100m"
           limits:
-            memory: "64Mi"
+            memory: "128Mi"
             cpu: "100m"
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 1001

manifests/overlays/generic-rbac-podsec-netsec/kustomization.yaml

@@ -3,10 +3,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 #namespace: chaostoolkit-crd
 
-commonLabels:
-  role: chaosengineering
-  provider: chaostoolkit
-  app: chaostoolkit-crd
+labels:
+  - pairs:
+      role: chaosengineering
+      provider: chaostoolkit
+      app: chaostoolkit-crd
+      app.kubernetes.io/name: chaostoolkit
+    includeSelectors: true
+    includeTemplates: true
 
 resources:
 - ns.yaml

manifests/overlays/generic-rbac-podsec/kustomization.yaml

@@ -3,10 +3,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 #namespace: chaostoolkit-crd
 
-commonLabels:
-  role: chaosengineering
-  provider: chaostoolkit
-  app: chaostoolkit-crd
+labels:
+  - pairs:
+      role: chaosengineering
+      provider: chaostoolkit
+      app: chaostoolkit-crd
+      app.kubernetes.io/name: chaostoolkit
+    includeSelectors: true
+    includeTemplates: true
 
 resources:
 - ns.yaml

manifests/overlays/generic-rbac/kustomization.yaml

@@ -3,10 +3,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 #namespace: chaostoolkit-crd
 
-commonLabels:
-  role: chaosengineering
-  provider: chaostoolkit
-  app: chaostoolkit-crd
+labels:
+  - pairs:
+      role: chaosengineering
+      provider: chaostoolkit
+      app: chaostoolkit-crd
+      app.kubernetes.io/name: chaostoolkit
+    includeSelectors: true
+    includeTemplates: true
 
 resources:
 - ns.yaml

manifests/overlays/generic/kustomization.yaml

@@ -3,10 +3,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 #namespace: chaostoolkit-crd
 
-commonLabels:
-  role: chaosengineering
-  provider: chaostoolkit
-  app: chaostoolkit-crd
+labels:
+  - pairs:
+      role: chaosengineering
+      provider: chaostoolkit
+      app: chaostoolkit-crd
+      app.kubernetes.io/name: chaostoolkit
+    includeSelectors: true
+    includeTemplates: true
 
 resources:
 - ns.yaml