Added configurable securityContext and follow restricted PSS

charts/connect/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: connect
-version: 1.16.0
+version: 1.17.0
 description: A Helm chart for deploying 1Password Connect and the 1Password Connect Kubernetes Operator
 keywords:
   - "1Password"

charts/connect/templates/connect-deployment.yaml

@@ -40,6 +40,10 @@ spec:
       {{- if .Values.connect.priorityClassName }}
       priorityClassName: {{ .Values.connect.priorityClassName }}
       {{- end }}
+      {{- with .Values.connect.podSecurityContext }}
+      securityContext:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with .Values.connect.affinity }}
       affinity:
       {{- toYaml . | nindent 8 }}
@@ -61,10 +65,10 @@ spec:
         - name: {{ .Values.connect.api.name }}
           image: {{ .Values.connect.api.imageRepository }}:{{ tpl .Values.connect.version . }}
           imagePullPolicy: {{ .Values.connect.imagePullPolicy }}
+          {{- with .Values.connect.api.securityContext }}
           securityContext:
-            runAsUser: 999
-            runAsGroup: 999
-            allowPrivilegeEscalation: false
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.connect.api.resources | nindent 12 }}
           env:
@@ -123,10 +127,10 @@ spec:
         - name: connect-sync
           image: {{ .Values.connect.sync.imageRepository }}:{{ tpl .Values.connect.version . }}
           imagePullPolicy: {{ .Values.connect.imagePullPolicy }}
+          {{- with .Values.connect.sync.securityContext }}
           securityContext:
-            runAsUser: 999
-            runAsGroup: 999
-            allowPrivilegeEscalation: false
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.connect.sync.resources | nindent 12 }}
           env:

charts/connect/templates/operator-deployment.yaml

@@ -39,6 +39,10 @@ spec:
       {{- if .Values.operator.priorityClassName }}
       priorityClassName: {{ .Values.operator.priorityClassName }}
       {{- end }}
+      {{- with .Values.operator.podSecurityContext }}
+      securityContext:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with .Values.operator.affinity }}
       affinity:
       {{- toYaml . | nindent 8 }}
@@ -50,13 +54,10 @@ spec:
         - name: {{ .Values.connect.applicationName }}
           image: {{ .Values.operator.imageRepository }}:{{ .Values.operator.version | default "latest" }}
           imagePullPolicy: {{ .Values.connect.imagePullPolicy }}
+          {{- with .Values.operator.securityContext }}
           securityContext:
-            runAsUser: 65532
-            runAsGroup: 65532
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - all
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
           command: [ "/manager" ]
           args: [ --zap-log-level={{ .Values.operator.logLevel }}]
           env:

charts/connect/templates/tests/health-check.yml

@@ -11,8 +11,16 @@ metadata:
     helm.sh/hook-weight: "1"
 spec:
   restartPolicy: Never
+  {{- with .Values.acceptanceTests.podSecurityContext }}
+  securityContext:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
   containers:
     - name: curl
       image: curlimages/curl
       command: ["curl", "{{- include "onepassword-connect.url" . }}/health"]
+      {{- with .Values.acceptanceTests.securityContext }}
+      securityContext:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
 {{- end }}

charts/connect/templates/tests/secret-read.yml

@@ -11,6 +11,10 @@ metadata:
     helm.sh/hook-weight: "3"
 spec:
   restartPolicy: Never
+  {{- with .Values.acceptanceTests.podSecurityContext }}
+  securityContext:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
   containers:
     - name: secret-assertion
       image: alpine
@@ -30,4 +34,8 @@ spec:
             secretKeyRef:
               name: "{{ .Release.Name }}-test-secret"
               key: password
+      {{- with .Values.acceptanceTests.securityContext }}
+      securityContext:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
 {{- end }}

charts/connect/values.yaml

@@ -42,6 +42,15 @@ connect:
       #
       annotations: {}
 
+    # Container securityContext to be added to the Connect API containers.
+    # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+    securityContext:
+      capabilities:
+        drop:
+          - ALL
+      readOnlyRootFilesystem: true
+      allowPrivilegeEscalation: false
+
   # The 1Password Connect Sync Specific Values
   sync:
     name: connect-sync
@@ -50,6 +59,15 @@ connect:
     httpPort: 8081
     logLevel: info
 
+    # Container securityContext to be added to the Connect Sync containers.
+    # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+    securityContext:
+      capabilities:
+        drop:
+          - ALL
+      readOnlyRootFilesystem: true
+      allowPrivilegeEscalation: false
+
   # The name of 1Password Connect Application
   applicationName: onepassword-connect
 
@@ -156,6 +174,16 @@ connect:
   # Additional labels to be added to the Connect API pods.
   podLabels: {}
 
+  # Pod securityContext to be added to the Connect API pods.
+  # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  podSecurityContext:
+    fsGroup: 999
+    runAsUser: 999
+    runAsGroup: 999
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+
   # List of tolerations to be added to the Connect API pods.
   tolerations: []
 
@@ -261,6 +289,25 @@ operator:
   # The 1Password Operator version to pull
   version: "1.8.1"
 
+  # Pod securityContext to be added to the 1Password Operator pods.
+  # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  podSecurityContext:
+    fsGroup: 65532
+    runAsUser: 65532
+    runAsGroup: 65532
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+
+  # Container securityContext to be added to the 1Password Operator containers.
+  # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+  securityContext:
+    capabilities:
+      drop:
+        - ALL
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
+
   # Node selector stanza for the Operator pod
   # See: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
   nodeSelector: {}
@@ -379,3 +426,22 @@ operator:
 acceptanceTests:
   enabled: false
   fixtures: {}
+
+  # Pod securityContext to be added to the 1Password Acceptance Tests pods.
+  # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  podSecurityContext:
+    fsGroup: 65532
+    runAsUser: 65532
+    runAsGroup: 65532
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+
+  # Container securityContext to be added to the 1Password Acceptance Tests containers.
+  # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+  securityContext:
+    capabilities:
+      drop:
+        - ALL
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false

charts/secrets-injector/Chart.yaml

@@ -12,4 +12,4 @@ maintainers:
     email: [email protected]
 icon: https://avatars.githubusercontent.com/u/38230737
 appVersion: "1.0.2"
-version: 1.1.0
+version: 1.2.0

charts/secrets-injector/README.md

@@ -30,16 +30,18 @@ $ helm install --set injector.applicationName=injector injector ./secrets-inject
 
 ### Values
 
-| Key                       | Type    | Default                                   | Description                                                                                                                               |
-|---------------------------|---------|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|
-| injector.applicationName  | string  | `"secrets-injector"`                      | The name of 1Password Kubernetes Secrets Injector Application                                                                             |
-| injector.imagePullPolicy  | string  | `"IfNotPresent"`                          | The 1Password Secrets Injector docker image policy. `"IfNotPresent"` means the image is pulled only if it is not already present locally. |
-| injector.imagePullSecrets | array   | `[]`                                      | Global list of secret names to use as image pull secrets for all pod specs in the chart. Secrets must exist in the same namespace         |
-| injector.imageRepository  | string  | `"1password/kubernetes-secrets-injector"` | The 1Password Secrets Injector docker image repository                                                                                    |
-| injector.port             | string  | `443`                                     | The port the Secrets Injector exposes                                                                                                     |
-| injector.targetPort       | integer | `8443`                                    | The port the Secrets Injector API sends requests to the pod                                                                               |
-| injector.version          | string  | `{{.Chart.AppVersion}}`                   | The 1Password Secrets Injector version to pull.                                                                                           |
-| injector.customEnvVars    | array   | `[]`                                      | Custom Environment Variables for the 1Password Secrets Injector container that are not specified in this helm chart.                      |
+| Key                         | Type    | Default                                                                                                                 | Description                                                                                                                               |
+|-----------------------------|---------|-------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|
+| injector.applicationName    | string  | `"secrets-injector"`                                                                                                    | The name of 1Password Kubernetes Secrets Injector Application                                                                             |
+| injector.imagePullPolicy    | string  | `"IfNotPresent"`                                                                                                        | The 1Password Secrets Injector docker image policy. `"IfNotPresent"` means the image is pulled only if it is not already present locally. |
+| injector.imagePullSecrets   | array   | `[]`                                                                                                                    | Global list of secret names to use as image pull secrets for all pod specs in the chart. Secrets must exist in the same namespace         |
+| injector.imageRepository    | string  | `"1password/kubernetes-secrets-injector"`                                                                               | The 1Password Secrets Injector docker image repository                                                                                    |
+| injector.port               | string  | `443`                                                                                                                   | The port the Secrets Injector exposes                                                                                                     |
+| injector.targetPort         | integer | `8443`                                                                                                                  | The port the Secrets Injector API sends requests to the pod                                                                               |
+| injector.version            | string  | `{{.Chart.AppVersion}}`                                                                                                 | The 1Password Secrets Injector version to pull.                                                                                           |
+| injector.customEnvVars      | array   | `[]`                                                                                                                    | Custom Environment Variables for the 1Password Secrets Injector container that are not specified in this helm chart.                      |
+| injector.podSecurityContext | object  | `{"fsGroup":65532,"runAsUser":65532,"runAsGroup":65532,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Pod `securityContext` for the 1Password Secrets Injector pod.                                                                             |
+| injector.securityContext    | object  | `{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"allowPrivilegeEscalation":false}`                      | Container `securityContext` for the 1Password Secrets Injector container.                                                                 |
 
 #### Custom Environment Variables
 

charts/secrets-injector/templates/deployment.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     app: {{ .Values.injector.applicationName }}
   annotations:
-    helm.sh/hook: pre-install
+    helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-weight: "1"
 spec:
   selector:
@@ -18,6 +18,10 @@ spec:
         app: {{ .Values.injector.applicationName }}
     spec:
       serviceAccountName: {{ .Values.injector.applicationName }}
+      {{- with .Values.injector.podSecurityContext }}
+      securityContext:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ .Values.injector.applicationName }}
           image: {{ .Values.injector.imageRepository }}:{{ tpl .Values.injector.version . }}
@@ -40,9 +44,19 @@ spec:
             preStop:
               exec:
                 command: [ "/bin/sh", "-c", "/prestop.sh" ]
+          {{- with .Values.injector.securityContext }}
+          securityContext:
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
       {{- with .Values.injector.imagePullSecrets }}
       imagePullSecrets:
       {{- range . }}
         - name: {{ . | quote }}
       {{- end }}
       {{- end }}
+      volumes:
+        - name: tmp
+          emptyDir: {}

charts/secrets-injector/values.yaml

@@ -11,3 +11,22 @@ injector:
   # - name: VARIABLE_NAME
   #   value: VARIABLE_VALUE
   customEnvVars: []
+
+  # Pod securityContext to be added to the 1Password secrets injector pods.
+  # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  podSecurityContext:
+    fsGroup: 65532
+    runAsUser: 65532
+    runAsGroup: 65532
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+
+  # Container securityContext to be added to the 1Password secrets injector containers.
+  # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+  securityContext:
+    capabilities:
+      drop:
+        - ALL
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false