[stable/hazelcast-jet] Merge pull request #103 from eminn/security-co…

…ntext (#21219)

* Merge pull request #103 from eminn/security-context

Signed-off-by: devOpsHelm <devops+1@hazelcast.com>

* Fixed linter error

Signed-off-by: Emin Demirci <emin@hazelcast.com>

Co-authored-by: Emin Demirci <emin@hazelcast.com>

stable/hazelcast-jet/Chart.yaml

@@ -4,7 +4,7 @@ tillerVersion: ">=2.7.2"
 kubeVersion: ">=1.9.0-0"
 description: Hazelcast Jet is an application embeddable, distributed computing engine built on top of Hazelcast In-Memory Data Grid (IMDG). With Hazelcast IMDG providing storage functionality, Hazelcast Jet performs parallel execution to enable data-intensive applications to operate in near real-time.
 name: hazelcast-jet
-version: 1.4.0
+version: 1.4.1
 keywords:
 - hazelcast
 - jet

stable/hazelcast-jet/README.adoc

@@ -191,13 +191,16 @@ generated using the fullname template |`+nil+`
 Hazelcast Jet Management Center |`+true+`
 
 |`+securityContext.runAsUser+` |User ID used to run the Hazelcast Jet and
-Hazelcast Jet Management Center containers |`+1001+`
+Hazelcast Jet Management Center containers |`+65534+`
 
-| `securityContext.runAsGroup` |Primary Group ID used to run all processes in the
+|`securityContext.runAsGroup` |Primary Group ID used to run all processes in the
  Hazelcast Jet and Hazelcast Jet Management Center containers | `+65534+`
 
 |`+securityContext.fsGroup+` |Group ID associated with the Hazelcast Jet and
-Hazelcast Jet Management Center container |`+1001+`
+Hazelcast Jet Management Center container |`+65534+`
+
+|`+securityContext.readOnlyRootFilesystem+` |Enables readOnlyRootFilesystem in 
+the Hazelcast Jet and Hazelcast Jet Management Center security containers |`+true+`
 
 |`+metrics.enabled+` |Turn on and off JMX Prometheus metrics available at
 `+/metrics+` |`+false+`

stable/hazelcast-jet/templates/management-center-deployment.yaml

@@ -36,20 +36,24 @@ spec:
       nodeSelector:
 {{ toYaml .Values.managementcenter.nodeSelector | indent 8 }}
       {{- end }}
-      {{- if .Values.managementcenter.affinity }}
+      hostNetwork: false
+      hostPID: false
+      hostIPC: false
+      {{- if .Values.securityContext.enabled }}
+      securityContext:
+        runAsNonRoot: {{ if eq (int .Values.securityContext.runAsUser) 0 }}false{{ else }}true{{ end }}
+        runAsUser: {{ .Values.securityContext.runAsUser }}
+        runAsGroup: {{ .Values.securityContext.runAsGroup }}
+        fsGroup: {{ .Values.securityContext.fsGroup }}
+      {{- end }}
+        {{- if .Values.managementcenter.affinity }}
       affinity:
 {{ toYaml .Values.managementcenter.affinity | indent 8 }}
       {{- end }}
       {{- if .Values.managementcenter.tolerations }}
       tolerations:
 {{ toYaml .Values.managementcenter.tolerations | indent 8 }}
       {{- end }}
-      {{- if .Values.securityContext.enabled }}
-      securityContext:
-        runAsUser: {{ .Values.securityContext.runAsUser }}
-        runAsGroup: {{ .Values.securityContext.runAsGroup }}
-        fsGroup: {{ .Values.securityContext.fsGroup }}
-      {{- end }}
       containers:
       - name: {{ template "hazelcast-jet-management-center.fullname" . }}
         image: "{{ .Values.managementcenter.image.repository }}:{{ .Values.managementcenter.image.tag }}"
@@ -98,6 +102,19 @@ spec:
         {{- end }}
         - name: JAVA_OPTS
           value: " -Djet.clientConfig=/data/hazelcast-jet-management-center/hazelcast-client.yaml -DserviceName={{ template "hazelcast-jet.fullname" . }} -Dnamespace={{ .Release.Namespace }} {{ .Values.managementcenter.javaOpts }}"
+      {{- if .Values.securityContext.enabled }}
+        securityContext:
+          runAsNonRoot: {{ if eq (int .Values.securityContext.runAsUser) 0 }}false{{ else }}true{{ end }}
+          runAsUser: {{ .Values.securityContext.runAsUser }}
+          runAsGroup: {{ .Values.securityContext.runAsGroup }}
+          fsGroup: {{ .Values.securityContext.fsGroup }}
+          privileged: false
+          readOnlyRootFilesystem: false
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+        {{- end }}
       serviceAccountName: {{ template "hazelcast-jet.serviceAccountName" . }}
       volumes:
       - name: hazelcast-jet-management-center-storage

stable/hazelcast-jet/templates/statefulset.yaml

@@ -39,6 +39,16 @@ spec:
       {{- if .Values.gracefulShutdown.enabled }}
       terminationGracePeriodSeconds: {{ .Values.gracefulShutdown.maxWaitSeconds }}
       {{- end }}
+      hostNetwork: false
+      hostPID: false
+      hostIPC: false
+      {{- if .Values.securityContext.enabled }}
+      securityContext:
+        runAsNonRoot: {{ if eq (int .Values.securityContext.runAsUser) 0 }}false{{ else }}true{{ end }}
+        runAsUser: {{ .Values.securityContext.runAsUser }}
+        runAsGroup: {{ .Values.securityContext.runAsGroup }}
+        fsGroup: {{ .Values.securityContext.fsGroup }}
+      {{- end }}
       {{- if .Values.affinity }}
       affinity:
 {{ toYaml .Values.affinity | indent 8 }}
@@ -99,13 +109,19 @@ spec:
         - name: LOGGING_LEVEL
           value: {{ .Values.jet.loggingLevel }}
         {{- end }}
+        {{- if .Values.securityContext.enabled }}
+        securityContext:
+          runAsNonRoot: {{ if eq (int .Values.securityContext.runAsUser) 0 }}false{{ else }}true{{ end }}
+          runAsUser: {{ .Values.securityContext.runAsUser }}
+          runAsGroup: {{ .Values.securityContext.runAsGroup }}
+          privileged: false
+          readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem }}
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+        {{- end }}
       serviceAccountName: {{ template "hazelcast-jet.serviceAccountName" . }}
-      {{- if .Values.securityContext.enabled }}
-      securityContext:
-        runAsUser: {{ .Values.securityContext.runAsUser }}
-        runAsGroup: {{ .Values.securityContext.runAsGroup }}
-        fsGroup: {{ .Values.securityContext.fsGroup }}
-      {{- end }}
       volumes:
       - name: hazelcast-jet-storage
         configMap:

stable/hazelcast-jet/values.yaml

@@ -201,11 +201,13 @@ securityContext:
   # enabled is a flag to enable Security Context
   enabled: true
   # runAsUser is the user ID used to run the container
-  runAsUser: 1001
+  runAsUser: 65534
   # runAsGroup is the primary group ID used to run all processes within any container of the pod
-  runAsGroup: 1001
+  runAsGroup: 65534
   # fsGroup is the group ID associated with the container
-  fsGroup: 1001
+  fsGroup: 65534
+  # readOnlyRootFilesystem is a flag to enable readOnlyRootFilesystem for the Hazelcast security context
+  readOnlyRootFilesystem: true
 
 # Allows to enable a Prometheus to scrape pods
 metrics: