Merge pull request #547 from harrison-tin/helm-settings

Ensure Akri's Helm templates use the most restrictive settings suggested by Snyk report
project-akri · Feb 23, 2023 · c423c6e · c423c6e
2 parents f2c69bd + 69c51c5
commit c423c6e
Show file tree

Hide file tree

Showing 20 changed files with 55 additions and 33 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/agent/Cargo.toml b/agent/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "agent"
-version = "0.9.1"
+version = "0.9.2"
 authors = ["Kate Goldenring <[email protected]>", "<[email protected]>"]
 edition = "2018"
 rust-version = "1.63.0"

diff --git a/controller/Cargo.toml b/controller/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "controller"
-version = "0.9.1"
+version = "0.9.2"
 authors = ["<[email protected]>", "<[email protected]>"]
 edition = "2018"
 rust-version = "1.63.0"

diff --git a/deployment/helm/Chart.yaml b/deployment/helm/Chart.yaml
@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.1
+version: 0.9.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 0.9.1
+appVersion: 0.9.2
diff --git a/deployment/helm/values.yaml b/deployment/helm/values.yaml
@@ -51,7 +51,14 @@ controller:
     # with `-dev` added if `useDevelopmentContainers` is specified
     tag:
     # pullPolicy is the Akri Controller pull policy
-    pullPolicy: ""
+    pullPolicy: "Always"
+  # ensures container doesn't run with unnecessary priviledges
+  securityContext:
+    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop: ["ALL"]
   # onlyOnControlPlane dictates whether the Akri Controller will only run on nodes with 
   # the label with (key, value) of ("node-role.kubernetes.io/master", "")
   onlyOnControlPlane: false
@@ -91,7 +98,10 @@ agent:
     tag:
     # pullPolicy is the Akri Agent pull policy
     pullPolicy: ""
-  securityContext: {}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["ALL"]
   host:
     # discoveryHandlers is the location of Akri Discovery Handler sockets and
     # the agent registration service

diff --git a/deployment/samples/akri-anomaly-detection-app.yaml b/deployment/samples/akri-anomaly-detection-app.yaml
@@ -16,6 +16,12 @@ spec:
       - name: akri-anomaly-detection-app
         image: ghcr.io/project-akri/akri/anomaly-detection-app:latest-dev
         imagePullPolicy: Always
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop: ["ALL"]
         env:
         - name: CONFIGURATION_NAME
           value: akri-opcua-monitoring

diff --git a/deployment/samples/akri-video-streaming-app.yaml b/deployment/samples/akri-video-streaming-app.yaml
@@ -17,6 +17,12 @@ spec:
       - name: akri-video-streaming-app
         image: ghcr.io/project-akri/akri/video-streaming-app:latest-dev
         imagePullPolicy: Always
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop: ["ALL"]
         env:
         # Streamer works in two modes; either specify the following commented
         # block of env vars to explicitly target cameras (update the <id>s for

diff --git a/discovery-handler-modules/debug-echo-discovery-handler/Cargo.toml b/discovery-handler-modules/debug-echo-discovery-handler/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "debug-echo-discovery-handler"
-version = "0.9.1"
+version = "0.9.2"
 authors = ["Kate Goldenring <[email protected]>"]
 edition = "2018"
 rust-version = "1.63.0"

diff --git a/discovery-handler-modules/onvif-discovery-handler/Cargo.toml b/discovery-handler-modules/onvif-discovery-handler/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "onvif-discovery-handler"
-version = "0.9.1"
+version = "0.9.2"
 authors = ["Kate Goldenring <[email protected]>"]
 edition = "2018"
 rust-version = "1.63.0"

diff --git a/discovery-handler-modules/opcua-discovery-handler/Cargo.toml b/discovery-handler-modules/opcua-discovery-handler/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "opcua-discovery-handler"
-version = "0.9.1"
+version = "0.9.2"
 authors = ["Kate Goldenring <[email protected]>"]
 edition = "2018"
 rust-version = "1.63.0"

diff --git a/discovery-handler-modules/udev-discovery-handler/Cargo.toml b/discovery-handler-modules/udev-discovery-handler/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "udev-discovery-handler"
-version = "0.9.1"
+version = "0.9.2"
 authors = ["Kate Goldenring <[email protected]>"]
 edition = "2018"
 rust-version = "1.63.0"

diff --git a/discovery-handlers/debug-echo/Cargo.toml b/discovery-handlers/debug-echo/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "akri-debug-echo"
-version = "0.9.1"
+version = "0.9.2"
 authors = ["Kate Goldenring <[email protected]>"]
 edition = "2018"
 rust-version = "1.63.0"

diff --git a/discovery-handlers/onvif/Cargo.toml b/discovery-handlers/onvif/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "akri-onvif"
-version = "0.9.1"
+version = "0.9.2"
 authors = ["Kate Goldenring <[email protected]>"]
 edition = "2018"
 rust-version = "1.63.0"

diff --git a/discovery-handlers/opcua/Cargo.toml b/discovery-handlers/opcua/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "akri-opcua"
-version = "0.9.1"
+version = "0.9.2"
 authors = ["Kate Goldenring <[email protected]>"]
 edition = "2018"
 rust-version = "1.63.0"

diff --git a/discovery-handlers/udev/Cargo.toml b/discovery-handlers/udev/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "akri-udev"
-version = "0.9.1"
+version = "0.9.2"
 authors = ["Kate Goldenring <[email protected]>"]
 edition = "2018"
 rust-version = "1.63.0"

diff --git a/discovery-utils/Cargo.toml b/discovery-utils/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "akri-discovery-utils"
-version = "0.9.1"
+version = "0.9.2"
 authors = ["Kate Goldenring <[email protected]>"]
 edition = "2018"
 rust-version = "1.63.0"

diff --git a/samples/brokers/udev-video-broker/Cargo.toml b/samples/brokers/udev-video-broker/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "udev-video-broker"
-version = "0.9.1"
+version = "0.9.2"
 authors = ["Kate Goldenring <[email protected]>", "<[email protected]>"]
 edition = "2018"
 rust-version = "1.63.0"

diff --git a/shared/Cargo.toml b/shared/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "akri-shared"
-version = "0.9.1"
+version = "0.9.2"
 authors = ["<[email protected]>"]
 edition = "2018"
 rust-version = "1.63.0"

diff --git a/version.txt b/version.txt
@@ -1 +1 @@
-0.9.1
+0.9.2
diff --git a/webhooks/validating/configuration/Cargo.toml b/webhooks/validating/configuration/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "webhook-configuration"
-version = "0.9.1"
+version = "0.9.2"
 authors = ["DazWilkin <[email protected]>"]
 edition = "2018"
 rust-version = "1.63.0"