From e1b89d639649712acd0b7e30d5b3d41c9deee0d2 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 24 Oct 2019 12:40:19 -0400 Subject: [PATCH] Make readOnlyRootFilesystem configurable (#93) --- templates/server-statefulset.yaml | 2 ++ test/unit/server-dev-statefulset.bats | 33 ++++++++++++++++++++++----- test/unit/server-ha-statefulset.bats | 33 ++++++++++++++++++++++----- test/unit/server-statefulset.bats | 19 +++++++++++++++ values.yaml | 4 ++++ 5 files changed, 79 insertions(+), 12 deletions(-) diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index 4a8c8e6..750a84a 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -41,7 +41,9 @@ spec: terminationGracePeriodSeconds: 10 serviceAccountName: {{ template "vault.fullname" . }} securityContext: + {{- if .Values.server.securityContext.readOnlyRootFilesystem }} readOnlyRootFilesystem: true + {{- end }} runAsNonRoot: true runAsGroup: {{ .Values.server.gid | default 1000 }} runAsUser: {{ .Values.server.uid | default 100 }} diff --git a/test/unit/server-dev-statefulset.bats b/test/unit/server-dev-statefulset.bats index 6af6d89..e99d2fc 100755 --- a/test/unit/server-dev-statefulset.bats +++ b/test/unit/server-dev-statefulset.bats @@ -314,7 +314,7 @@ load _helpers #-------------------------------------------------------------------- # Security Contexts -@test "server/standalone-StatefulSet: uid default" { +@test "server/dev-StatefulSet: uid default" { cd `chart_dir` local actual=$(helm template \ -x templates/server-statefulset.yaml \ @@ -324,7 +324,7 @@ load _helpers [ "${actual}" = "100" ] } -@test "server/standalone-StatefulSet: uid configurable" { +@test "server/dev-StatefulSet: uid configurable" { cd `chart_dir` local actual=$(helm template \ -x templates/server-statefulset.yaml \ @@ -335,7 +335,7 @@ load _helpers [ "${actual}" = "2000" ] } -@test "server/standalone-StatefulSet: gid default" { +@test "server/dev-StatefulSet: gid default" { cd `chart_dir` local actual=$(helm template \ -x templates/server-statefulset.yaml \ @@ -345,7 +345,7 @@ load _helpers [ "${actual}" = "1000" ] } -@test "server/standalone-StatefulSet: gid configurable" { +@test "server/dev-StatefulSet: gid configurable" { cd `chart_dir` local actual=$(helm template \ -x templates/server-statefulset.yaml \ @@ -356,7 +356,7 @@ load _helpers [ "${actual}" = "2000" ] } -@test "server/standalone-StatefulSet: fsgroup default" { +@test "server/dev-StatefulSet: fsgroup default" { cd `chart_dir` local actual=$(helm template \ -x templates/server-statefulset.yaml \ @@ -366,7 +366,7 @@ load _helpers [ "${actual}" = "1000" ] } -@test "server/standalone-StatefulSet: fsgroup configurable" { +@test "server/dev-StatefulSet: fsgroup configurable" { cd `chart_dir` local actual=$(helm template \ -x templates/server-statefulset.yaml \ @@ -376,3 +376,24 @@ load _helpers yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr) [ "${actual}" = "2000" ] } + +@test "server/dev-StatefulSet: readOnlyRootFilesystem default" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-statefulset.yaml \ + --set 'server.dev.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/dev-StatefulSet: readOnlyRootFilesystem configurable" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-statefulset.yaml \ + --set 'server.dev.enabled=true' \ + --set 'server.securityContext.readOnlyRootFilesystem=false' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/test/unit/server-ha-statefulset.bats b/test/unit/server-ha-statefulset.bats index 06c747f..de2d433 100755 --- a/test/unit/server-ha-statefulset.bats +++ b/test/unit/server-ha-statefulset.bats @@ -509,7 +509,7 @@ load _helpers #-------------------------------------------------------------------- # Security Contexts -@test "server/standalone-StatefulSet: uid default" { +@test "server/ha-StatefulSet: uid default" { cd `chart_dir` local actual=$(helm template \ -x templates/server-statefulset.yaml \ @@ -519,7 +519,7 @@ load _helpers [ "${actual}" = "100" ] } -@test "server/standalone-StatefulSet: uid configurable" { +@test "server/ha-StatefulSet: uid configurable" { cd `chart_dir` local actual=$(helm template \ -x templates/server-statefulset.yaml \ @@ -530,7 +530,7 @@ load _helpers [ "${actual}" = "2000" ] } -@test "server/standalone-StatefulSet: gid default" { +@test "server/ha-StatefulSet: gid default" { cd `chart_dir` local actual=$(helm template \ -x templates/server-statefulset.yaml \ @@ -540,7 +540,7 @@ load _helpers [ "${actual}" = "1000" ] } -@test "server/standalone-StatefulSet: gid configurable" { +@test "server/ha-StatefulSet: gid configurable" { cd `chart_dir` local actual=$(helm template \ -x templates/server-statefulset.yaml \ @@ -551,7 +551,7 @@ load _helpers [ "${actual}" = "2000" ] } -@test "server/standalone-StatefulSet: fsgroup default" { +@test "server/ha-StatefulSet: fsgroup default" { cd `chart_dir` local actual=$(helm template \ -x templates/server-statefulset.yaml \ @@ -561,7 +561,7 @@ load _helpers [ "${actual}" = "1000" ] } -@test "server/standalone-StatefulSet: fsgroup configurable" { +@test "server/ha-StatefulSet: fsgroup configurable" { cd `chart_dir` local actual=$(helm template \ -x templates/server-statefulset.yaml \ @@ -571,3 +571,24 @@ load _helpers yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr) [ "${actual}" = "2000" ] } + +@test "server/ha-StatefulSet: readOnlyRootFilesystem default" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/ha-StatefulSet: readOnlyRootFilesystem configurable" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-statefulset.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.securityContext.readOnlyRootFilesystem=false' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index fd0876c..4d29ffe 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -592,3 +592,22 @@ load _helpers yq -r '.spec.template.spec.securityContext.fsGroup' | tee /dev/stderr) [ "${actual}" = "2000" ] } + +@test "server/standalone-StatefulSet: readOnlyRootFilesystem default" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/standalone-StatefulSet: readOnlyRootFilesystem configurable" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-statefulset.yaml \ + --set 'server.securityContext.readOnlyRootFilesystem=false' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.securityContext.readOnlyRootFilesystem' | tee /dev/stderr) + [ "${actual}" = "null" ] +} diff --git a/values.yaml b/values.yaml index 70a09ef..c5cc1a3 100644 --- a/values.yaml +++ b/values.yaml @@ -14,6 +14,10 @@ server: # Resource requests, limits, etc. for the server cluster placement. This # should map directly to the value of the resources field for a PodSpec. # By default no direct resource request is made. + + securityContext: + readOnlyRootFilesystem: true + resources: # resources: # requests: