Merge pull request #10 from ericsson-iap/vulnerabilityFixes

Update charts to mitigate vulnerabilities
ericsson-iap · Sep 27, 2024 · be0a4ac · be0a4ac
2 parents dfff5b7 + b649ead
commit be0a4ac
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 0 deletions.
diff --git a/charts/eric-oss-hello-world-python-app/templates/_helpers.tpl b/charts/eric-oss-hello-world-python-app/templates/_helpers.tpl
@@ -150,6 +150,40 @@ Timezone variable
 {{- print $timezone | quote -}}
 {{- end -}}
 
+{{/*
+Create container level annotations (apparmorProfile - DR-D1123-127)
+*/}}
+{{- define "eric-oss-hello-world-python-app.container-annotations" }}
+    {{- if .Values.appArmorProfile -}}
+    {{- $appArmorValue := .Values.appArmorProfile.type -}}
+        {{- if .Values.appArmorProfile.type -}}
+            {{- if eq .Values.appArmorProfile.type "localhost" -}}
+                {{- $appArmorValue = printf "%s/%s" .Values.appArmorProfile.type .Values.appArmorProfile.localhostProfile }}
+            {{- end}}
+container.apparmor.security.beta.kubernetes.io/eric-oss-hello-world-python-app: {{ $appArmorValue | quote }}
+        {{- end}}
+    {{- end}}
+{{- end}}
+
+{{/*
+Seccomp profile section (DR-1123-128)
+*/}}
+{{- define "eric-oss-hello-world-python-app.seccomp-profile" }}
+    {{- if .Values.seccompProfile }}
+      {{- if .Values.seccompProfile.type }}
+          {{- if eq .Values.seccompProfile.type "Localhost" }}
+              {{- if .Values.seccompProfile.localhostProfile }}
+seccompProfile:
+  type: {{ .Values.seccompProfile.type }}
+  localhostProfile: {{ .Values.seccompProfile.localhostProfile }}
+            {{- end }}
+          {{- else }}
+seccompProfile:
+  type: {{ .Values.seccompProfile.type }}
+          {{- end }}
+        {{- end }}
+    {{- end }}
+{{- end }}
 
 {{/*
 Create image repo path

diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml
@@ -36,11 +36,13 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
         service.cleartext/scraping: "true"
       annotations:
+      {{- $container := include "eric-oss-hello-world-python-app.container-annotations" . | fromYaml }}
         prometheus.io/port: "{{ .Values.service.port }}"
         prometheus.io/scrape: "{{ .Values.prometheus.scrape }}"
         prometheus.io/path: "{{ .Values.prometheus.path }}"
 {{- include "eric-oss-hello-world-python-app.product-info" . | indent 8 }}
     spec:
+      automountServiceAccountToken: false
       {{- if (index .Values "podPriority" "eric-oss-hello-world-python-app" "priorityClassName") }}
       priorityClassName: {{ (index .Values "podPriority" "eric-oss-hello-world-python-app" "priorityClassName") }}
       {{- end }}
@@ -71,6 +73,7 @@ spec:
             capabilities:
               drop:
               - all
+            {{- include "eric-oss-hello-world-python-app.seccomp-profile" . | indent 12 }}
           volumeMounts:
             - name: config-volume
               mountPath: /etc/adp

diff --git a/charts/eric-oss-hello-world-python-app/values.yaml b/charts/eric-oss-hello-world-python-app/values.yaml
@@ -29,6 +29,18 @@ replicaCount: 1
 nameOverride: ""
 fullnameOverride: ""
 
+# choice='unconfined, runtime/default, localhost' [ default= ""]
+# Configuration of AppArmor profile type. The following values are possible:
+# unconfined  - Indicates that there is no profile loaded.
+# runtime/default - Applies the default profile of the container engine.
+# localhost   - Applies a specific profile loaded on the host
+appArmorProfile:
+  type: ""
+  localhostProfile:
+seccompProfile:
+  type: "RuntimeDefault"
+  localhostProfile:
+
 service:
   type: ClusterIP
   port: 8050