From 9b114e95a0f2128e9aa04fbbdcebd89e0d7d76d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zsolt=20Kacs=C3=A1ndi?= Date: Fri, 9 Aug 2024 10:26:08 +0200 Subject: [PATCH 1/6] test --- installation/kubernetes/helm/vmclarity/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installation/kubernetes/helm/vmclarity/values.yaml b/installation/kubernetes/helm/vmclarity/values.yaml index e5491f134..f14ad3b90 100644 --- a/installation/kubernetes/helm/vmclarity/values.yaml +++ b/installation/kubernetes/helm/vmclarity/values.yaml @@ -259,7 +259,7 @@ ui: podSecurityContext: # -- Pod security context enabled - enabled: false + enabled: true # -- Pod security context fsGroup fsGroup: 101 From 259dd54e9b4b25fdd238d75707050a0242498737 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zsolt=20Kacs=C3=A1ndi?= Date: Fri, 9 Aug 2024 10:34:21 +0200 Subject: [PATCH 2/6] test --- installation/kubernetes/helm/vmclarity/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installation/kubernetes/helm/vmclarity/README.md b/installation/kubernetes/helm/vmclarity/README.md index 11700ebe6..fbd82ca3a 100644 --- a/installation/kubernetes/helm/vmclarity/README.md +++ b/installation/kubernetes/helm/vmclarity/README.md @@ -304,7 +304,7 @@ secrets. | ui.image.registry | string | `"ghcr.io"` | UI image registry | | ui.image.repository | string | `"openclarity/vmclarity-ui"` | UI image repository | | ui.image.tag | string | `"latest"` | UI image tag | -| ui.podSecurityContext.enabled | bool | `false` | Pod security context enabled | +| ui.podSecurityContext.enabled | bool | `true` | Pod security context enabled | | ui.podSecurityContext.fsGroup | int | `101` | Pod security context fsGroup | | ui.replicas | int | `1` | Number of replicas for the UI service | | ui.resources.limits | object | `{}` | The resources limits for the UI containers | From db3d3c06174544753d83375e6dea684f6ec1e1ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zsolt=20Kacs=C3=A1ndi?= Date: Fri, 9 Aug 2024 11:01:59 +0200 Subject: [PATCH 3/6] test --- installation/kubernetes/helm/vmclarity/README.md | 2 +- installation/kubernetes/helm/vmclarity/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/installation/kubernetes/helm/vmclarity/README.md b/installation/kubernetes/helm/vmclarity/README.md index fbd82ca3a..4c53ab9ca 100644 --- a/installation/kubernetes/helm/vmclarity/README.md +++ b/installation/kubernetes/helm/vmclarity/README.md @@ -293,7 +293,7 @@ secrets. | trivyServer.serviceAccount.name | string | `""` | The name of the ServiceAccount to use. If not set and create is true, it will use the component's calculated name. | | ui.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | Force the child process to run as non-privileged | | ui.containerSecurityContext.capabilities.drop | list | `["ALL"]` | List of capabilities to be dropped | -| ui.containerSecurityContext.enabled | bool | `false` | Container security context enabled | +| ui.containerSecurityContext.enabled | bool | `true` | Container security context enabled | | ui.containerSecurityContext.privileged | bool | `false` | Whether the container should run in privileged mode | | ui.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | Mounts the container file system as ReadOnly | | ui.containerSecurityContext.runAsGroup | int | `101` | Group ID which the containers should run as | diff --git a/installation/kubernetes/helm/vmclarity/values.yaml b/installation/kubernetes/helm/vmclarity/values.yaml index f14ad3b90..f69d6c4ce 100644 --- a/installation/kubernetes/helm/vmclarity/values.yaml +++ b/installation/kubernetes/helm/vmclarity/values.yaml @@ -265,7 +265,7 @@ ui: containerSecurityContext: # -- Container security context enabled - enabled: false + enabled: true # -- User ID which the containers should run as runAsUser: 101 # -- Group ID which the containers should run as From 75829d6248ad432ff47a79eae30821e9a9baf020 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zsolt=20Kacs=C3=A1ndi?= Date: Fri, 9 Aug 2024 11:52:11 +0200 Subject: [PATCH 4/6] test --- .../kubernetes/helm/vmclarity/templates/ui/deployment.yaml | 4 ++++ installation/kubernetes/helm/vmclarity/values.yaml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/installation/kubernetes/helm/vmclarity/templates/ui/deployment.yaml b/installation/kubernetes/helm/vmclarity/templates/ui/deployment.yaml index 584469e0f..4f91c0a8b 100644 --- a/installation/kubernetes/helm/vmclarity/templates/ui/deployment.yaml +++ b/installation/kubernetes/helm/vmclarity/templates/ui/deployment.yaml @@ -38,9 +38,13 @@ spec: name: tmpfs-1 - mountPath: /var/cache/nginx name: tmpfs-2 + - mountPath: /tmp + name: tmpfs-3 volumes: - name: tmpfs-1 emptyDir: {} - name: tmpfs-2 emptyDir: {} + - name: tmpfs-3 + emptyDir: {} serviceAccountName: {{ include "vmclarity.ui.serviceAccountName" . }} diff --git a/installation/kubernetes/helm/vmclarity/values.yaml b/installation/kubernetes/helm/vmclarity/values.yaml index f69d6c4ce..f14ad3b90 100644 --- a/installation/kubernetes/helm/vmclarity/values.yaml +++ b/installation/kubernetes/helm/vmclarity/values.yaml @@ -265,7 +265,7 @@ ui: containerSecurityContext: # -- Container security context enabled - enabled: true + enabled: false # -- User ID which the containers should run as runAsUser: 101 # -- Group ID which the containers should run as From 1f29cc264b769444c02afd1ebf14e8b9033ed109 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zsolt=20Kacs=C3=A1ndi?= Date: Fri, 9 Aug 2024 11:58:23 +0200 Subject: [PATCH 5/6] test --- installation/kubernetes/helm/vmclarity/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installation/kubernetes/helm/vmclarity/README.md b/installation/kubernetes/helm/vmclarity/README.md index 4c53ab9ca..fbd82ca3a 100644 --- a/installation/kubernetes/helm/vmclarity/README.md +++ b/installation/kubernetes/helm/vmclarity/README.md @@ -293,7 +293,7 @@ secrets. | trivyServer.serviceAccount.name | string | `""` | The name of the ServiceAccount to use. If not set and create is true, it will use the component's calculated name. | | ui.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | Force the child process to run as non-privileged | | ui.containerSecurityContext.capabilities.drop | list | `["ALL"]` | List of capabilities to be dropped | -| ui.containerSecurityContext.enabled | bool | `true` | Container security context enabled | +| ui.containerSecurityContext.enabled | bool | `false` | Container security context enabled | | ui.containerSecurityContext.privileged | bool | `false` | Whether the container should run in privileged mode | | ui.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | Mounts the container file system as ReadOnly | | ui.containerSecurityContext.runAsGroup | int | `101` | Group ID which the containers should run as | From 08b3af2b08b3a5b29ea3f5e2135c10aed121fa80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zsolt=20Kacs=C3=A1ndi?= Date: Fri, 9 Aug 2024 12:26:06 +0200 Subject: [PATCH 6/6] test --- ui/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ui/Dockerfile b/ui/Dockerfile index 8ea8200ab..993a4070a 100644 --- a/ui/Dockerfile +++ b/ui/Dockerfile @@ -20,7 +20,7 @@ RUN --mount=type=cache,target=/src/ui/node_modules \ RUN --mount=type=cache,target=/src/ui/node_modules \ npm run build --prefix /src/ui -FROM nginx:1.27.0@sha256:6af79ae5de407283dcea8b00d5c37ace95441fd58a8b1d2aa1ed93f5511bb18c +FROM nginxinc/nginx-unprivileged:1.27.0 COPY --from=site-build ["/src/ui/build", "/usr/share/nginx/html"]