From 7e2dd2d49e43652f889259309a3135f4912467f8 Mon Sep 17 00:00:00 2001
From: Brendan Galloway <brendan@flanksource.com>
Date: Fri, 19 May 2023 11:42:54 +0200
Subject: [PATCH 1/2] feat: make privilege levels selectable in values file

---
 chart/templates/_helpers.tpl    | 18 ++++++++++++++++++
 chart/templates/deployment.yaml | 25 +++++++------------------
 chart/values.yaml               |  6 ++++++
 3 files changed, 31 insertions(+), 18 deletions(-)

diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
index 4e6ce7e6f..1c05c8660 100644
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -57,3 +57,21 @@ Image Name
 {{- define "canary-checker.imageString" -}}
 {{ .Values.image.repository }}{{- if eq (lower .Values.image.type) "full" }}-full{{- end }}:{{ .Values.image.tag }} 
 {{- end }}
+
+{{/*
+Container Security Context
+*/}}
+{{- define "canary-checker.containerSecurityContext" -}}
+allowPrivilegeEscalation: {{- if -eq (.Values.privilegeMode | toLower) "privileged"}}true{{- else }}false{{-end}}
+{{- if has (.Values.privilegeMode | toLower) ( list "privileged" "root" ) }}
+runAsUser: 0
+runAsGroup: 0
+fsGroup: 0
+{{- if -eq (.Values.privilegeMode | toLower) "privileged"}}
+capabilities:
+  add:
+    - CAP_NET_RAW
+{{- end }}
+{{- end }}
+{{- end }}
+
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
index 4632bc851..83aab0c76 100644
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -6,21 +6,18 @@ kind: Deployment
 {{- end }}
 metadata:
   name: {{ include "canary-checker.name" . }}
-  labels:
-    {{- include "canary-checker.labels" . | nindent 4 }}
+  labels: {{- include "canary-checker.labels" . | nindent 4 }}
 spec:
   replicas: {{ .Values.replicas }}
   selector:
-    matchLabels:
-      {{- include "canary-checker.selectorLabels" . | nindent 6 }}
+    matchLabels: {{- include "canary-checker.selectorLabels" . | nindent 6 }}
   {{- if eq .Values.db.external.enabled false }}
   {{- if eq .Values.db.embedded.persist true }}
   serviceName: {{ include "canary-checker.fullname" . }}
   volumeClaimTemplates:
     - metadata:
         name: canarychecker-database
-        labels:
-          {{- include "canary-checker.labels" . | nindent 10 }}
+        labels: {{- include "canary-checker.labels" . | nindent 10 }}
       spec:
         storageClassName: {{ .Values.db.embedded.storageClass }}
         accessModes: ["ReadWriteOnce"]
@@ -31,8 +28,7 @@ spec:
   {{- end }}
   template:
     metadata:
-      labels:
-        {{- include "canary-checker.selectorLabels" . | nindent 8 }}
+      labels: {{- include "canary-checker.selectorLabels" . | nindent 8 }}
     spec:
       serviceAccountName: {{ include "canary-checker.fullname" . }}-sa
       volumes:
@@ -58,15 +54,9 @@ spec:
               - path: "labels"
                 fieldRef:
                   fieldPath: metadata.labels
-      securityContext:
-        fsGroup: 1000
       containers:
         - name: {{ include "canary-checker.name" . }}
-          securityContext:
-            allowPrivilegeEscalation: {{.Values.allowPrivilegeEscalation}}
-            capabilities:
-              add:
-                - CAP_NET_RAW
+          securityContext: {{- include "canary-checker.containerSecurityContext" . | nindent 12 }}
           image: {{ include "canary-checker.imageString" . }}
           imagePullPolicy: "{{ .Values.image.pullPolicy }}"
           env:
@@ -109,8 +99,7 @@ spec:
             - "8080"
             - --disable-postgrest={{ .Values.disablePostgrest }}
             - --db-migrations={{ .Values.db.runMigrations }}
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+          resources: {{- toYaml .Values.resources | nindent 12 }}
           livenessProbe:
             httpGet:
               path: /health
@@ -120,5 +109,5 @@ spec:
               path: /health
               port: 8080
       {{- with .Values.extra }}
-      {{- toYaml . | nindent 6 }}
+      {{- toYaml . | indent 6 }}
       {{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
index ccd076f40..8ab0f3f71 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -23,6 +23,12 @@ disablePostgrest: false
 debug: false
 logLevel: "-v"
 
+## Options: unprivileged | root | privileged
+## unprivileged: runs as noot root user, cannot escalate permissions
+## root: runs as root user, cannot escalate permissions.  Required to run ping checks
+## privileged: runs as root user, may escalate CAP_NET_RAW.  Required to run docker and container checks
+privilegeMode: unprivileged
+
 db:
   runMigrations: false
   embedded:

From 68096945fcd182be94067031d9f2b9f1b443204d Mon Sep 17 00:00:00 2001
From: Brendan Galloway <brendan@flanksource.com>
Date: Tue, 23 May 2023 09:57:51 +0200
Subject: [PATCH 2/2] fix: linting errors

---
 chart/templates/_helpers.tpl | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
index 1c05c8660..eabcccb79 100644
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -62,12 +62,12 @@ Image Name
 Container Security Context
 */}}
 {{- define "canary-checker.containerSecurityContext" -}}
-allowPrivilegeEscalation: {{- if -eq (.Values.privilegeMode | toLower) "privileged"}}true{{- else }}false{{-end}}
-{{- if has (.Values.privilegeMode | toLower) ( list "privileged" "root" ) }}
+allowPrivilegeEscalation: {{- if eq ( lower .Values.privilegeMode ) "privileged" }}true{{- else }}false{{- end }}
+{{- if has ( lower .Values.privilegeMode) ( list "privileged" "root" ) }}
 runAsUser: 0
 runAsGroup: 0
 fsGroup: 0
-{{- if -eq (.Values.privilegeMode | toLower) "privileged"}}
+{{- if eq ( lower .Values.privilegeMode ) "privileged" }}
 capabilities:
   add:
     - CAP_NET_RAW