diff --git a/charts/octopus-deploy/README.md b/charts/octopus-deploy/README.md index be9c1b04..5d343135 100644 --- a/charts/octopus-deploy/README.md +++ b/charts/octopus-deploy/README.md @@ -147,13 +147,7 @@ A minimal set of writable paths for a read-only root filesystem is: ```yaml octopus: containerSecurityContext: - runAsNonRoot: true - runAsGroup: 999 - runAsUser: 999 readOnlyRootFilesystem: true - podSecurityContext: - fsGroup: 999 - fsGroupChangePolicy: OnRootMismatch serverConfigurationDirectory: /home/octopus/.local @@ -187,6 +181,35 @@ A complete working example including environment variable overrides for .NET too Note: `enableDockerInDocker` must be set to `false` when using a read-only root filesystem, as Docker-in-Docker requires a privileged, writable container. +### Openshift +If you are using build in mssql chart on Openshift with values: +``` +mssql: + enabled: true +``` + +Our mssql has such default security contexts for mssql. + +``` +podSecurityContext: + fsGroup: 10001 + seccompProfile: + type: RuntimeDefault +containerSecurityContext: + runAsUser: 10001 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +``` + +As we're usign hardcoded UID and fsGroup in our `securityContext` you need to assign `nonroot-v2` SCC to allow the SQL Server SA to run: + +```oc adm policy add-scc-to-user nonroot-v2 -z octopus-deploy-mssql -n octopus-deploy``` + + ### Ingress You'll likely want to allow external traffic to your Octopus instance, and this generally means configuring [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). diff --git a/charts/octopus-deploy/charts/mssql/templates/_helpers.tpl b/charts/octopus-deploy/charts/mssql/templates/_helpers.tpl index 6f3d3493..b438d772 100644 --- a/charts/octopus-deploy/charts/mssql/templates/_helpers.tpl +++ b/charts/octopus-deploy/charts/mssql/templates/_helpers.tpl @@ -50,3 +50,11 @@ this template will return sa_password - either from values or autogenerated {{- include "random_secret" (list . "sapassword") -}} {{- end -}} {{- end -}} + +{{- define "mssql.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} +{{- default (printf "%s-mssql" (include "octopus.fullname" .)) .Values.serviceAccount.name -}} +{{- else -}} +default "default-mssql" .Values.serviceAccount.name +{{- end -}} +{{- end -}} diff --git a/charts/octopus-deploy/charts/mssql/templates/serviceaccount.yaml b/charts/octopus-deploy/charts/mssql/templates/serviceaccount.yaml new file mode 100644 index 00000000..93c4ae88 --- /dev/null +++ b/charts/octopus-deploy/charts/mssql/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "labels" . | nindent 4 }} + {{- if .Values.serviceAccount.labels }} + {{- toYaml .Values.serviceAccount.labels | nindent 4 }} + {{- end }} + name: {{ template "mssql.serviceAccountName" . }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} \ No newline at end of file diff --git a/charts/octopus-deploy/charts/mssql/templates/statefulset.yaml b/charts/octopus-deploy/charts/mssql/templates/statefulset.yaml index ff3433cd..3bdbae30 100644 --- a/charts/octopus-deploy/charts/mssql/templates/statefulset.yaml +++ b/charts/octopus-deploy/charts/mssql/templates/statefulset.yaml @@ -19,6 +19,7 @@ spec: labels: {{- include "mssql.selectorLabels" . | nindent 8 }} spec: + serviceAccountName: {{ template "mssql.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- with .Values.nodeSelector }} @@ -41,6 +42,10 @@ spec: - cp /var/opt/config/mssql.conf /var/opt/mssql/mssql.conf && /opt/mssql/bin/sqlservr image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} ports: - containerPort: {{ .Values.containers.ports.containerPort}} env: diff --git a/charts/octopus-deploy/charts/mssql/values.yaml b/charts/octopus-deploy/charts/mssql/values.yaml index 850c6557..d80aa30a 100644 --- a/charts/octopus-deploy/charts/mssql/values.yaml +++ b/charts/octopus-deploy/charts/mssql/values.yaml @@ -13,7 +13,24 @@ containers: podAnnotations: {} podSecurityContext: + runAsNonRoot: true fsGroup: 10001 + seccompProfile: + type: RuntimeDefault +containerSecurityContext: + runAsUser: 10001 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE service: - port: 1433 \ No newline at end of file + port: 1433 + +serviceAccount: + create: true + automountServiceAccountToken: false + annotations: {} + labels: {} \ No newline at end of file diff --git a/charts/octopus-deploy/values-rorfsexample.yaml b/charts/octopus-deploy/values-rorfsexample.yaml index 75db98f2..28b02332 100644 --- a/charts/octopus-deploy/values-rorfsexample.yaml +++ b/charts/octopus-deploy/values-rorfsexample.yaml @@ -54,16 +54,6 @@ octopus: mountPath: /Octopus/.diagnostics sizeLimit: "100Mi" - podSecurityContext: - fsGroup: 999 - fsGroupChangePolicy: OnRootMismatch - - containerSecurityContext: - runAsNonRoot: true - runAsGroup: 999 - runAsUser: 999 - readOnlyRootFilesystem: true - serverConfigurationDirectory: /home/octopus/.local mssql: diff --git a/charts/octopus-deploy/values.yaml b/charts/octopus-deploy/values.yaml index 6526bb93..02019a9a 100644 --- a/charts/octopus-deploy/values.yaml +++ b/charts/octopus-deploy/values.yaml @@ -178,11 +178,18 @@ octopus: - watch - list # Pod security context settings - podSecurityContext: {} + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault # Container security context settings # IMPORTANT: When enableDockerInDocker is true (default), the container must run as privileged. # If setting security contexts that conflict with privileged mode, set enableDockerInDocker to false. - containerSecurityContext: {} + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL # Custom directory for Octopus server configuration when using non-root security contexts serverConfigurationDirectory: