chore(ui): use nginx-unprivileged base image for the UI (#1983)

* chore(ui): use nginx-unprivileged base image for the UI * chore(ui): enable podSecurityContext and containerSecurityContext for the UI * docs(helm): update Helm docs * chore(ui): use nginx-unprivileged base image for the UI * chore(gcp): run gen-bicep
openclarity · Aug 9, 2024 · 42a2fd7 · 42a2fd7
1 parent 1d2f6c0
commit 42a2fd7
Show file tree

Hide file tree

Showing 11 changed files with 19 additions and 15 deletions.
diff --git a/installation/aws/VmClarity.cfn b/installation/aws/VmClarity.cfn
@@ -612,7 +612,7 @@ Resources:
 
                 http {
                     upstream ui {
-                        server ui:80;
+                        server ui:8080;
                     }
 
                     upstream uibackend {

diff --git a/installation/azure/vmclarity-install.sh b/installation/azure/vmclarity-install.sh
@@ -421,7 +421,7 @@ events {
 
 http {
     upstream ui {
-        server ui:80;
+        server ui:8080;
     }
 
     upstream uibackend {

diff --git a/installation/azure/vmclarity.json b/installation/azure/vmclarity.json
diff --git a/installation/docker/gateway.conf b/installation/docker/gateway.conf
@@ -1,5 +1,5 @@
 upstream ui {
-    server ui:80;
+    server ui:8080;
 }
 
 upstream uibackend {

diff --git a/installation/gcp/dm/components/vmclarity-install.sh b/installation/gcp/dm/components/vmclarity-install.sh
@@ -429,7 +429,7 @@ events {{
 
 http {{
     upstream ui {{
-        server ui:80;
+        server ui:8080;
     }}
 
     upstream uibackend {{

diff --git a/installation/kubernetes/helm/vmclarity/README.md b/installation/kubernetes/helm/vmclarity/README.md
@@ -293,7 +293,7 @@ secrets.
 | trivyServer.serviceAccount.name | string | `""` | The name of the ServiceAccount to use. If not set and create is true, it will use the component's calculated name. |
 | ui.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | Force the child process to run as non-privileged |
 | ui.containerSecurityContext.capabilities.drop | list | `["ALL"]` | List of capabilities to be dropped |
-| ui.containerSecurityContext.enabled | bool | `false` | Container security context enabled |
+| ui.containerSecurityContext.enabled | bool | `true` | Container security context enabled |
 | ui.containerSecurityContext.privileged | bool | `false` | Whether the container should run in privileged mode |
 | ui.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | Mounts the container file system as ReadOnly |
 | ui.containerSecurityContext.runAsGroup | int | `101` | Group ID which the containers should run as |
@@ -304,7 +304,7 @@ secrets.
 | ui.image.registry | string | `"ghcr.io"` | UI image registry |
 | ui.image.repository | string | `"openclarity/vmclarity-ui"` | UI image repository |
 | ui.image.tag | string | `"latest"` | UI image tag |
-| ui.podSecurityContext.enabled | bool | `false` | Pod security context enabled |
+| ui.podSecurityContext.enabled | bool | `true` | Pod security context enabled |
 | ui.podSecurityContext.fsGroup | int | `101` | Pod security context fsGroup |
 | ui.replicas | int | `1` | Number of replicas for the UI service |
 | ui.resources.limits | object | `{}` | The resources limits for the UI containers |

diff --git a/installation/kubernetes/helm/vmclarity/templates/gateway/configmap.yaml b/installation/kubernetes/helm/vmclarity/templates/gateway/configmap.yaml
@@ -12,7 +12,7 @@ data:
     
     http {
         upstream ui {
-            server {{ printf "%s" (include "vmclarity.ui.name" .) }}:80;
+            server {{ printf "%s" (include "vmclarity.ui.name" .) }}:8080;
         }
     
         upstream uibackend {

diff --git a/installation/kubernetes/helm/vmclarity/templates/ui/deployment.yaml b/installation/kubernetes/helm/vmclarity/templates/ui/deployment.yaml
@@ -38,9 +38,13 @@ spec:
               name: tmpfs-1
             - mountPath: /var/cache/nginx
               name: tmpfs-2
+            - mountPath: /tmp
+              name: tmpfs-3
       volumes:
         - name: tmpfs-1
           emptyDir: {}
         - name: tmpfs-2
           emptyDir: {}
+        - name: tmpfs-3
+          emptyDir: {}
       serviceAccountName: {{ include "vmclarity.ui.serviceAccountName" . }}
diff --git a/installation/kubernetes/helm/vmclarity/values.yaml b/installation/kubernetes/helm/vmclarity/values.yaml
@@ -259,13 +259,13 @@ ui:
 
   podSecurityContext:
     # -- Pod security context enabled
-    enabled: false
+    enabled: true
     # -- Pod security context fsGroup
     fsGroup: 101
 
   containerSecurityContext:
     # -- Container security context enabled
-    enabled: false
+    enabled: true
     # -- User ID which the containers should run as
     runAsUser: 101
     # -- Group ID which the containers should run as

diff --git a/ui/Dockerfile b/ui/Dockerfile
@@ -20,7 +20,7 @@ RUN --mount=type=cache,target=/src/ui/node_modules \
 RUN --mount=type=cache,target=/src/ui/node_modules \
     npm run build --prefix /src/ui
 
-FROM nginx:1.27.0@sha256:6af79ae5de407283dcea8b00d5c37ace95441fd58a8b1d2aa1ed93f5511bb18c
+FROM nginxinc/nginx-unprivileged:1.27.0
 
 COPY --from=site-build ["/src/ui/build", "/usr/share/nginx/html"]
 

diff --git a/ui/nginx.conf b/ui/nginx.conf
@@ -1,6 +1,6 @@
 server {
-    listen       80;
-    listen  [::]:80;
+    listen       8080;
+    listen  [::]:8080;
     server_name  localhost;
 
     #access_log  /var/log/nginx/host.access.log  main;