Fix security concerns

Signed-off-by: QuentinBisson <[email protected]>
giantswarm · Jun 27, 2023 · 679eb61 · 679eb61
1 parent 898dd5d
commit 679eb61
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 66 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s
 
 ## [Unreleased]
 
+### Fixed
+
+- Fix security concerns.
+
 ## [1.2.0] - 2023-06-27
 
 ### Added

diff --git a/helm/sloth/templates/kyverno-policy-exception.yaml b/helm/sloth/templates/kyverno-policy-exception.yaml
diff --git a/helm/sloth/values.schema.json b/helm/sloth/values.schema.json
@@ -93,17 +93,6 @@
         "imagePullSecrets": {
             "type": "array"
         },
-        "kyvernoPolicyExceptions": {
-            "type": "object",
-            "properties": {
-                "enabled": {
-                    "type": "boolean"
-                },
-                "namespace": {
-                    "type": "string"
-                }
-            }
-        },
         "labels": {
             "type": "object"
         },
@@ -149,10 +138,50 @@
             "type": "object",
             "properties": {
                 "container": {
-                    "type": "null"
+                    "type": "object",
+                    "properties": {
+                        "allowPrivilegeEscalation": {
+                            "type": "boolean"
+                        },
+                        "capabilities": {
+                            "type": "object",
+                            "properties": {
+                                "drop": {
+                                    "type": "array",
+                                    "items": {
+                                        "type": "string"
+                                    }
+                                }
+                            }
+                        },
+                        "seccompProfile": {
+                            "type": "object",
+                            "properties": {
+                                "type": {
+                                    "type": "string"
+                                }
+                            }
+                        }
+                    }
                 },
                 "pod": {
-                    "type": "null"
+                    "type": "object",
+                    "properties": {
+                        "runAsNonRoot": {
+                            "type": "boolean"
+                        },
+                        "runAsUser": {
+                            "type": "integer"
+                        },
+                        "seccompProfile": {
+                            "type": "object",
+                            "properties": {
+                                "type": {
+                                    "type": "string"
+                                }
+                            }
+                        }
+                    }
                 }
             }
         },

diff --git a/helm/sloth/values.yaml b/helm/sloth/values.yaml
@@ -70,15 +70,15 @@ customSloConfig:
 #     effect: NoSchedule
 
 securityContext:
-  pod: null
-  #   fsGroup: 100
-  #   runAsGroup: 1000
-  #   runAsNonRoot: true
-  #   runAsUser: 100
-  container: null
-  #   allowPrivilegeEscalation: false
-
-# Enable Kyverno PolicyException
-kyvernoPolicyExceptions:
-  enabled: true
-  namespace: giantswarm
+  pod:
+    runAsNonRoot: true
+    runAsUser: 65534
+    seccompProfile:
+      type: RuntimeDefault
+  container:
+    allowPrivilegeEscalation: false
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop:
+        - ALL