specklesystems · gjedlicska · Aug 15, 2022 · Aug 11, 2022 · Aug 12, 2022 · Aug 12, 2022
diff --git a/packages/frontend/nginx/templates/nginx.conf.template b/packages/frontend/nginx/templates/nginx.conf.template
@@ -56,11 +56,19 @@ set_real_ip_from 2a06:98c0::/29;
 real_ip_header CF-Connecting-IP;
 #real_ip_header X-Forwarded-For;
 
-
 server {
   listen 80;
   client_max_body_size 100m;
 
+  # move default write paths to a custom directory
+  # kubernetes can mount this directory and prevent writes to the root directory
+  # https://github.com/openresty/docker-openresty/issues/119
+  client_body_temp_path /var/run/openresty/nginx-client-body;
+  proxy_temp_path /var/run/openresty/nginx-proxy;
+  fastcgi_temp_path /var/run/openresty/nginx-fastcgi;
+  uwsgi_temp_path /var/run/openresty/nginx-uwsgi;
+  scgi_temp_path /var/run/openresty/nginx-scgi;
+
   location / {
     root   /usr/share/nginx/html;
     index app.html;

diff --git a/utils/helm/Makefile b/utils/helm/Makefile
@@ -7,6 +7,7 @@ build:
 	cd ../.. && docker build -t speckle/speckle-webhook-service:local -f packages/webhook-service/Dockerfile .
 	cd ../.. && docker build -t speckle/speckle-fileimport-service:local -f packages/fileimport-service/Dockerfile .
 	cd ../.. && docker build -t speckle/speckle-monitor-deployment:local -f utils/monitor-deployment/Dockerfile .
+	cd ../.. && docker build -t speckle/speckle-test-deployment:local -f utils/test-deployment/Dockerfile .
 
 	echo "Making locally built images available inside minikube cluster. This takes a bit to copy, unfortunately..."
 
@@ -16,6 +17,7 @@ build:
 	minikube image load speckle/speckle-webhook-service:local
 	minikube image load speckle/speckle-fileimport-service:local
 	minikube image load speckle/speckle-monitor-deployment:local
+	minikube image load speckle/speckle-test-deployment:local
 
 
 install:

diff --git a/utils/helm/speckle-server/templates/fileimport_service/deployment.yml b/utils/helm/speckle-server/templates/fileimport_service/deployment.yml
@@ -44,8 +44,20 @@ spec:
             cpu: {{ .Values.fileimport_service.limits.cpu }}
             memory: {{ .Values.fileimport_service.limits.memory }}
 
-        {{- if .Values.db.useCertificate }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 20000
+
         volumeMounts:
+          - mountPath: /tmp
+            name: tmp
+        {{- if .Values.db.useCertificate }}
           - name: postgres-certificate
             mountPath: /postgres-certificate
         {{- end }}
@@ -84,10 +96,21 @@ spec:
           - name: FILE_IMPORT_TIME_LIMIT_MIN
             value: {{ .Values.fileimport_service.time_limit_min | quote }}
 
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 20000
+        fsGroup: 25000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 30000
+        seccompProfile:
+          type: RuntimeDefault
+
       priorityClassName: low-priority
 
-      {{- if .Values.db.useCertificate }}
       volumes:
+        - name: tmp
+          emptyDir: {}
+      {{- if .Values.db.useCertificate }}
         - name: postgres-certificate
           configMap:
             name: postgres-certificate

diff --git a/utils/helm/speckle-server/templates/frontend/deployment.yml b/utils/helm/speckle-server/templates/frontend/deployment.yml
@@ -34,6 +34,18 @@ spec:
             cpu: {{ .Values.frontend.limits.cpu }}
             memory: {{ .Values.frontend.limits.memory }}
 
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+            add:
+              - NET_BIND_SERVICE
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 20000
+
         # Allow for k8s to remove the pod from the service endpoints to stop receive traffic
         lifecycle:
           preStop:
@@ -51,4 +63,37 @@ spec:
           - name: FILE_SIZE_LIMIT_MB
             value: {{ .Values.file_size_limit_mb | quote }}
 
+        volumeMounts:
+          - mountPath: /var/cache/nginx
+            name: nginx-cache
+          - mountPath: /tmp/nginx
+            name: nginx-tmp
+          - mountPath: /etc/nginx/conf.d
+            name: nginx-confd
+          - mountPath: /usr/local/openresty/nginx/logs
+            name: openresty-logs
+          - mountPath: /var/run/openresty
+            name: openresty-tmp
+
       priorityClassName: high-priority
+
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 20000
+        fsGroup: 25000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 30000
+        seccompProfile:
+          type: RuntimeDefault
+
+      volumes:
+        - name: nginx-cache
+          emptyDir: {}
+        - name: nginx-confd
+          emptyDir: {}
+        - name: nginx-tmp
+          emptyDir: {}
+        - name: openresty-logs
+          emptyDir: {}
+        - name: openresty-tmp
+          emptyDir: {}
diff --git a/utils/helm/speckle-server/templates/monitoring/deployment.yml b/utils/helm/speckle-server/templates/monitoring/deployment.yml
@@ -34,6 +34,15 @@ spec:
             cpu: {{ .Values.monitoring.limits.cpu }}
             memory: {{ .Values.monitoring.limits.memory }}
 
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 20000
 
         {{- if .Values.db.useCertificate }}
         volumeMounts:
@@ -55,6 +64,15 @@ spec:
 
       priorityClassName: low-priority
 
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 20000
+        fsGroup: 25000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 30000
+        seccompProfile:
+          type: RuntimeDefault
+
       {{- if .Values.db.useCertificate }}
       volumes:
         - name: postgres-certificate

diff --git a/utils/helm/speckle-server/templates/preview_service/deployment.yml b/utils/helm/speckle-server/templates/preview_service/deployment.yml
@@ -43,8 +43,20 @@ spec:
             cpu: {{ .Values.preview_service.limits.cpu }}
             memory: {{ .Values.preview_service.limits.memory }}
 
-        {{- if .Values.db.useCertificate }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 20000
+
         volumeMounts:
+          - mountPath: /tmp
+            name: tmp
+        {{- if .Values.db.useCertificate }}
           - name: postgres-certificate
             mountPath: /postgres-certificate
         {{- end }}
@@ -66,11 +78,22 @@ spec:
 
       priorityClassName: low-priority
 
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 20000
+        fsGroup: 25000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 30000
+        seccompProfile:
+          type: RuntimeDefault
+
       # Should be > preview generation time ( 1 hour for good measure )
       terminationGracePeriodSeconds: 3600
 
-      {{- if .Values.db.useCertificate }}
       volumes:
+        - name: tmp
+          emptyDir: {}
+      {{- if .Values.db.useCertificate }}
         - name: postgres-certificate
           configMap:
             name: postgres-certificate

diff --git a/utils/helm/speckle-server/templates/server/deployment.yml b/utils/helm/speckle-server/templates/server/deployment.yml
@@ -34,10 +34,22 @@ spec:
             cpu: {{ .Values.server.limits.cpu }}
             memory: {{ .Values.server.limits.memory }}
 
-        {{- if .Values.db.useCertificate }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 20000
+
         volumeMounts:
-        - name: postgres-certificate
-          mountPath: /postgres-certificate
+          - mountPath: /tmp
+            name: tmp
+        {{- if .Values.db.useCertificate }}
+          - name: postgres-certificate
+            mountPath: /postgres-certificate
         {{- end }}
 
         # Allow for k8s to remove the pod from the service endpoints to stop receive traffic
@@ -242,9 +254,21 @@ spec:
                 key: apollo_key
           {{- end }}
       priorityClassName: high-priority
+
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 20000
+        fsGroup: 25000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 30000
+        seccompProfile:
+          type: RuntimeDefault
+
       terminationGracePeriodSeconds: 310
-      {{- if .Values.db.useCertificate }}
       volumes:
+        - name: tmp
+          emptyDir: {}
+      {{- if .Values.db.useCertificate }}
         - name: postgres-certificate
           configMap:
             name: postgres-certificate

diff --git a/utils/helm/speckle-server/templates/test/deployment.yml b/utils/helm/speckle-server/templates/test/deployment.yml
@@ -24,5 +24,23 @@ spec:
         limits:
           cpu: {{ .Values.test.limits.cpu }}
           memory: {{ .Values.test.limits.memory }}
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
+        privileged: false
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        runAsUser: 20000
+
   restartPolicy: Never
+
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 20000
+    runAsGroup: 30000
+    seccompProfile:
+      type: RuntimeDefault
+
 {{- end }}
diff --git a/utils/helm/speckle-server/templates/webhook_service/deployment.yml b/utils/helm/speckle-server/templates/webhook_service/deployment.yml
@@ -43,8 +43,20 @@ spec:
             cpu: {{ .Values.webhook_service.limits.cpu }}
             memory: {{ .Values.webhook_service.limits.memory }}
 
-        {{- if .Values.db.useCertificate }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 20000
+
         volumeMounts:
+          - mountPath: /tmp
+            name: tmp
+        {{- if .Values.db.useCertificate }}
           - name: postgres-certificate
             mountPath: /postgres-certificate
         {{- end }}
@@ -66,11 +78,22 @@ spec:
 
       priorityClassName: low-priority
 
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 20000
+        fsGroup: 25000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 30000
+        seccompProfile:
+          type: RuntimeDefault
+
       # Should be > webhook max call time ( ~= 10 seconds )
       terminationGracePeriodSeconds: 30
 
-      {{- if .Values.db.useCertificate }}
       volumes:
+        - name: tmp
+          emptyDir: {}
+      {{- if .Values.db.useCertificate }}
         - name: postgres-certificate
           configMap:
             name: postgres-certificate