feat(helm chart): add SecurityContext to pods and containers

[iainsproat]

Speckle pods should run with minimal privileges and capabilities to function.

To verify, run the following and follow the advisory guidance:

helm template my-speckle-server ./utils/helm/speckle-server \
 --values ../iain_speckle_dev-values.yaml \
 --namespace speckle | \
 docker run -i kubesec/kubesec:v2 scan /dev/stdin

Notes

• kubesec schema has a known issue that incorrectly throws an error for seccompProfile. seccompProfile should be commented out while running kubesec 🙄
• empty directory (emptyDir) mounted at /tmp for all containers that write temporary files. This allows root directory to be read only.
• tailored seccomp and appArmor profiles are not included, and will be provided as part of AppArmor and SecComp profiles for kubernetes #918
• openResty & nginx by default requires root user and chown capabilities: Add nginx (or openresty user) to run nginx openresty/docker-openresty#24
  • to resolve, nginx.conf amended per Move default writable paths to a dedicated directory openresty/docker-openresty#119 and https://discuss.kubernetes.io/t/why-i-am-getting-read-only-file-system-error-from-nginx-in-my-container/5782
  • nginx requires NET_BIND_SERVICE capability to run as nonRoot. ingress won't work without NET_BIND_SERVICE cap and allow-privilege-escalation for v0.20.0 or higer kubernetes/ingress-nginx#3668
• service accounts will be added as part of Helm: the service accounts should have minimum privileges for the service #859

References

https://kubernetes.io/docs/concepts/security/pod-security-standards/
https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html

Fixes #857
Fixes #919

[codecov]

Codecov Report

Merging #917 (1498dce) into main (5535197) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #917   +/-   ##
=======================================
  Coverage   90.41%   90.41%           
=======================================
  Files          90       90           
  Lines        3433     3433           
  Branches       10       10           
=======================================
  Hits         3104     3104           
  Misses        328      328           
  Partials        1        1           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[iainsproat]

Proof of work

Pods are running and healthy on minikube:

Security context is applied (speckle-server as an example):