diff --git a/packages/frontend/nginx/templates/nginx.conf.template b/packages/frontend/nginx/templates/nginx.conf.template index 2f72faac75..16264a8ece 100644 --- a/packages/frontend/nginx/templates/nginx.conf.template +++ b/packages/frontend/nginx/templates/nginx.conf.template @@ -56,11 +56,19 @@ set_real_ip_from 2a06:98c0::/29; real_ip_header CF-Connecting-IP; #real_ip_header X-Forwarded-For; - server { listen 80; client_max_body_size 100m; + # move default write paths to a custom directory + # kubernetes can mount this directory and prevent writes to the root directory + # https://github.com/openresty/docker-openresty/issues/119 + client_body_temp_path /var/run/openresty/nginx-client-body; + proxy_temp_path /var/run/openresty/nginx-proxy; + fastcgi_temp_path /var/run/openresty/nginx-fastcgi; + uwsgi_temp_path /var/run/openresty/nginx-uwsgi; + scgi_temp_path /var/run/openresty/nginx-scgi; + location / { root /usr/share/nginx/html; index app.html; diff --git a/utils/helm/Makefile b/utils/helm/Makefile index 8b54257d37..0e6d9a5649 100644 --- a/utils/helm/Makefile +++ b/utils/helm/Makefile @@ -7,6 +7,7 @@ build: cd ../.. && docker build -t speckle/speckle-webhook-service:local -f packages/webhook-service/Dockerfile . cd ../.. && docker build -t speckle/speckle-fileimport-service:local -f packages/fileimport-service/Dockerfile . cd ../.. && docker build -t speckle/speckle-monitor-deployment:local -f utils/monitor-deployment/Dockerfile . + cd ../.. && docker build -t speckle/speckle-test-deployment:local -f utils/test-deployment/Dockerfile . echo "Making locally built images available inside minikube cluster. This takes a bit to copy, unfortunately..." @@ -16,6 +17,7 @@ build: minikube image load speckle/speckle-webhook-service:local minikube image load speckle/speckle-fileimport-service:local minikube image load speckle/speckle-monitor-deployment:local + minikube image load speckle/speckle-test-deployment:local install: diff --git a/utils/helm/speckle-server/templates/fileimport_service/deployment.yml b/utils/helm/speckle-server/templates/fileimport_service/deployment.yml index 3aada8c5f9..64c3b758b0 100644 --- a/utils/helm/speckle-server/templates/fileimport_service/deployment.yml +++ b/utils/helm/speckle-server/templates/fileimport_service/deployment.yml @@ -44,8 +44,20 @@ spec: cpu: {{ .Values.fileimport_service.limits.cpu }} memory: {{ .Values.fileimport_service.limits.memory }} - {{- if .Values.db.useCertificate }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 20000 + volumeMounts: + - mountPath: /tmp + name: tmp + {{- if .Values.db.useCertificate }} - name: postgres-certificate mountPath: /postgres-certificate {{- end }} @@ -84,10 +96,21 @@ spec: - name: FILE_IMPORT_TIME_LIMIT_MIN value: {{ .Values.fileimport_service.time_limit_min | quote }} + securityContext: + runAsNonRoot: true + runAsUser: 20000 + fsGroup: 25000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 30000 + seccompProfile: + type: RuntimeDefault + priorityClassName: low-priority - {{- if .Values.db.useCertificate }} volumes: + - name: tmp + emptyDir: {} + {{- if .Values.db.useCertificate }} - name: postgres-certificate configMap: name: postgres-certificate diff --git a/utils/helm/speckle-server/templates/frontend/deployment.yml b/utils/helm/speckle-server/templates/frontend/deployment.yml index 517c8bfb5b..5138d14f60 100644 --- a/utils/helm/speckle-server/templates/frontend/deployment.yml +++ b/utils/helm/speckle-server/templates/frontend/deployment.yml @@ -34,6 +34,18 @@ spec: cpu: {{ .Values.frontend.limits.cpu }} memory: {{ .Values.frontend.limits.memory }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 20000 + # Allow for k8s to remove the pod from the service endpoints to stop receive traffic lifecycle: preStop: @@ -51,4 +63,37 @@ spec: - name: FILE_SIZE_LIMIT_MB value: {{ .Values.file_size_limit_mb | quote }} + volumeMounts: + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /tmp/nginx + name: nginx-tmp + - mountPath: /etc/nginx/conf.d + name: nginx-confd + - mountPath: /usr/local/openresty/nginx/logs + name: openresty-logs + - mountPath: /var/run/openresty + name: openresty-tmp + priorityClassName: high-priority + + securityContext: + runAsNonRoot: true + runAsUser: 20000 + fsGroup: 25000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 30000 + seccompProfile: + type: RuntimeDefault + + volumes: + - name: nginx-cache + emptyDir: {} + - name: nginx-confd + emptyDir: {} + - name: nginx-tmp + emptyDir: {} + - name: openresty-logs + emptyDir: {} + - name: openresty-tmp + emptyDir: {} diff --git a/utils/helm/speckle-server/templates/monitoring/deployment.yml b/utils/helm/speckle-server/templates/monitoring/deployment.yml index fdcb37e986..3711838f86 100644 --- a/utils/helm/speckle-server/templates/monitoring/deployment.yml +++ b/utils/helm/speckle-server/templates/monitoring/deployment.yml @@ -34,6 +34,15 @@ spec: cpu: {{ .Values.monitoring.limits.cpu }} memory: {{ .Values.monitoring.limits.memory }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 20000 {{- if .Values.db.useCertificate }} volumeMounts: @@ -55,6 +64,15 @@ spec: priorityClassName: low-priority + securityContext: + runAsNonRoot: true + runAsUser: 20000 + fsGroup: 25000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 30000 + seccompProfile: + type: RuntimeDefault + {{- if .Values.db.useCertificate }} volumes: - name: postgres-certificate diff --git a/utils/helm/speckle-server/templates/preview_service/deployment.yml b/utils/helm/speckle-server/templates/preview_service/deployment.yml index cd8799b43b..2ce33c418b 100644 --- a/utils/helm/speckle-server/templates/preview_service/deployment.yml +++ b/utils/helm/speckle-server/templates/preview_service/deployment.yml @@ -43,8 +43,20 @@ spec: cpu: {{ .Values.preview_service.limits.cpu }} memory: {{ .Values.preview_service.limits.memory }} - {{- if .Values.db.useCertificate }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 20000 + volumeMounts: + - mountPath: /tmp + name: tmp + {{- if .Values.db.useCertificate }} - name: postgres-certificate mountPath: /postgres-certificate {{- end }} @@ -66,11 +78,22 @@ spec: priorityClassName: low-priority + securityContext: + runAsNonRoot: true + runAsUser: 20000 + fsGroup: 25000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 30000 + seccompProfile: + type: RuntimeDefault + # Should be > preview generation time ( 1 hour for good measure ) terminationGracePeriodSeconds: 3600 - {{- if .Values.db.useCertificate }} volumes: + - name: tmp + emptyDir: {} + {{- if .Values.db.useCertificate }} - name: postgres-certificate configMap: name: postgres-certificate diff --git a/utils/helm/speckle-server/templates/server/deployment.yml b/utils/helm/speckle-server/templates/server/deployment.yml index a6a3c86444..59b585251e 100644 --- a/utils/helm/speckle-server/templates/server/deployment.yml +++ b/utils/helm/speckle-server/templates/server/deployment.yml @@ -34,10 +34,22 @@ spec: cpu: {{ .Values.server.limits.cpu }} memory: {{ .Values.server.limits.memory }} - {{- if .Values.db.useCertificate }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 20000 + volumeMounts: - - name: postgres-certificate - mountPath: /postgres-certificate + - mountPath: /tmp + name: tmp + {{- if .Values.db.useCertificate }} + - name: postgres-certificate + mountPath: /postgres-certificate {{- end }} # Allow for k8s to remove the pod from the service endpoints to stop receive traffic @@ -242,9 +254,21 @@ spec: key: apollo_key {{- end }} priorityClassName: high-priority + + securityContext: + runAsNonRoot: true + runAsUser: 20000 + fsGroup: 25000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 30000 + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: 310 - {{- if .Values.db.useCertificate }} volumes: + - name: tmp + emptyDir: {} + {{- if .Values.db.useCertificate }} - name: postgres-certificate configMap: name: postgres-certificate diff --git a/utils/helm/speckle-server/templates/test/deployment.yml b/utils/helm/speckle-server/templates/test/deployment.yml index 6915fe5bfa..ff72ec75ad 100644 --- a/utils/helm/speckle-server/templates/test/deployment.yml +++ b/utils/helm/speckle-server/templates/test/deployment.yml @@ -24,5 +24,23 @@ spec: limits: cpu: {{ .Values.test.limits.cpu }} memory: {{ .Values.test.limits.memory }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 20000 + restartPolicy: Never + + securityContext: + runAsNonRoot: true + runAsUser: 20000 + runAsGroup: 30000 + seccompProfile: + type: RuntimeDefault + {{- end }} diff --git a/utils/helm/speckle-server/templates/webhook_service/deployment.yml b/utils/helm/speckle-server/templates/webhook_service/deployment.yml index 898813a1c9..9c090d8795 100644 --- a/utils/helm/speckle-server/templates/webhook_service/deployment.yml +++ b/utils/helm/speckle-server/templates/webhook_service/deployment.yml @@ -43,8 +43,20 @@ spec: cpu: {{ .Values.webhook_service.limits.cpu }} memory: {{ .Values.webhook_service.limits.memory }} - {{- if .Values.db.useCertificate }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 20000 + volumeMounts: + - mountPath: /tmp + name: tmp + {{- if .Values.db.useCertificate }} - name: postgres-certificate mountPath: /postgres-certificate {{- end }} @@ -66,11 +78,22 @@ spec: priorityClassName: low-priority + securityContext: + runAsNonRoot: true + runAsUser: 20000 + fsGroup: 25000 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 30000 + seccompProfile: + type: RuntimeDefault + # Should be > webhook max call time ( ~= 10 seconds ) terminationGracePeriodSeconds: 30 - {{- if .Values.db.useCertificate }} volumes: + - name: tmp + emptyDir: {} + {{- if .Values.db.useCertificate }} - name: postgres-certificate configMap: name: postgres-certificate