Pass SecurityContext in all the AppRepo Controller's jobs

chart/kubeapps/templates/apprepository/apprepositories.yaml

@@ -26,12 +26,14 @@ spec:
   - {{ . }}
   {{- end }}
   {{- end }}
-  {{- if or $.Values.apprepository.containerSecurityContext.enabled $.Values.apprepository.initialReposProxy.enabled .nodeSelector }}
+  {{- if or $.Values.apprepository.podSecurityContext.enabled $.Values.apprepository.containerSecurityContext.enabled $.Values.apprepository.initialReposProxy.enabled .nodeSelector .tolerations}}
   syncJobPodTemplate:
     spec:
-      {{- if $.Values.apprepository.initialReposProxy.enabled }}
+      {{- if or $.Values.apprepository.initialReposProxy.enabled $.Values.apprepository.containerSecurityContext.enabled }}
       containers:
-        - env:
+        -
+      {{- if $.Values.apprepository.initialReposProxy.enabled }}
+          env:
             - name: https_proxy
               value: {{ $.Values.apprepository.initialReposProxy.httpsProxy }}
             - name: http_proxy
@@ -40,8 +42,11 @@ spec:
               value: {{ $.Values.apprepository.initialReposProxy.noProxy }}
       {{- end }}
       {{- if $.Values.apprepository.containerSecurityContext.enabled }}
-      securityContext:
-        runAsUser: {{ $.Values.apprepository.containerSecurityContext.runAsUser }}
+          securityContext: {{- omit $.Values.apprepository.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+      {{- end }}
+      {{- end }}
+      {{- if $.Values.apprepository.podSecurityContext.enabled }}
+      securityContext: {{- omit $.Values.apprepository.podSecurityContext "enabled" | toYaml | nindent 8 }}
       {{- end }}
       {{- if .nodeSelector }}
       nodeSelector: {{- toYaml .nodeSelector | nindent 8 }}

chart/kubeapps/templates/apprepository/deployment.yaml

@@ -121,6 +121,12 @@ spec:
             -  --custom-labels={{ (print $key "=" $value) | quote }}
               {{- end }}
             {{- end }}
+            {{- if.Values.apprepository.containerSecurityContext.enabled }}
+            - --default-container-security-context={{ toJson .Values.apprepository.containerSecurityContext | squote  }}
+            {{- end }}
+            {{- if.Values.apprepository.podSecurityContext.enabled }}
+            - --default-pod-security-context={{ toJson .Values.apprepository.podSecurityContext | squote  }}
+            {{- end }}
             {{- range .Values.apprepository.extraFlags }}
             - {{ . }}
             {{- end }}

chart/kubeapps/templates/kubeappsapis/deployment.yaml

@@ -189,15 +189,13 @@ spec:
           livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.kubeappsapis.livenessProbe "enabled") "context" $) | nindent 12 }}
             exec:
               command: ["grpc_health_probe", "-addr=:{{ .Values.kubeappsapis.containerPorts.http }}"]
-            initialDelaySeconds: 10
           {{- end }}
           {{- if .Values.kubeappsapis.customReadinessProbe }}
           readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.customReadinessProbe "context" $) | nindent 12 }}
           {{- else if .Values.kubeappsapis.readinessProbe.enabled }}
           readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.kubeappsapis.readinessProbe "enabled") "context" $) | nindent 12 }}
             exec:
               command: ["grpc_health_probe", "-addr=:{{ .Values.kubeappsapis.containerPorts.http }}"]
-            initialDelaySeconds: 5
           {{- end }}
           {{- if .Values.kubeappsapis.customStartupProbe }}
           startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.customStartupProbe "context" $) | nindent 12 }}

chart/kubeapps/values.yaml

@@ -292,16 +292,22 @@ frontend:
   podSecurityContext:
     enabled: true
     fsGroup: 1001
-  ## Configure Container Security Context (only main container)
+  ## Configure Container Security Context for NGINX
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
   ## @param frontend.containerSecurityContext.enabled Enabled NGINX containers' Security Context
   ## @param frontend.containerSecurityContext.runAsUser Set NGINX container's Security Context runAsUser
+  ## @param frontend.containerSecurityContext.runAsGroup Set NGINX container's Security Context runAsUser
   ## @param frontend.containerSecurityContext.runAsNonRoot Set NGINX container's Security Context runAsNonRoot
+  ## @param frontend.containerSecurityContext.allowPrivilegeEscalation Set NGINX container's Security Context runAsNonRoot
+  ## @param frontend.containerSecurityContext.readOnlyRootFilesystem Set NGINX container's Security Context runAsNonRoot
   ##
   containerSecurityContext:
     enabled: true
     runAsUser: 1001
+    runAsGroup: 10001
     runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
   ## Configure extra options for frontend containers' liveness and readiness probes
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
   ## @param frontend.livenessProbe.enabled Enable livenessProbe
@@ -643,16 +649,22 @@ dashboard:
   podSecurityContext:
     enabled: true
     fsGroup: 1001
-  ## Configure Container Security Context (only main container)
+  ## Configure Container Security Context Dashboard
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
   ## @param dashboard.containerSecurityContext.enabled Enabled Dashboard containers' Security Context
   ## @param dashboard.containerSecurityContext.runAsUser Set Dashboard container's Security Context runAsUser
+  ## @param dashboard.containerSecurityContext.runAsGroup Set Dashboard container's Security Context runAsUser
   ## @param dashboard.containerSecurityContext.runAsNonRoot Set Dashboard container's Security Context runAsNonRoot
+  ## @param dashboard.containerSecurityContext.allowPrivilegeEscalation Set Dashboard container's Security Context runAsNonRoot
+  ## @param dashboard.containerSecurityContext.readOnlyRootFilesystem Set Dashboard container's Security Context runAsNonRoot
   ##
   containerSecurityContext:
     enabled: true
     runAsUser: 1001
+    runAsGroup: 10001
     runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
   ## Configure extra options for Dashboard containers' liveness and readiness probes
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
   ## @param dashboard.livenessProbe.enabled Enable livenessProbe
@@ -990,16 +1002,22 @@ apprepository:
   podSecurityContext:
     enabled: true
     fsGroup: 1001
-  ## Configure Container Security Context (only main container)
+  ## Configure Container Security Context for App Repository jobs
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
   ## @param apprepository.containerSecurityContext.enabled Enabled AppRepository Controller containers' Security Context
   ## @param apprepository.containerSecurityContext.runAsUser Set AppRepository Controller container's Security Context runAsUser
+  ## @param apprepository.containerSecurityContext.runAsGroup Set AppRepository Controller container's Security Context runAsUser
   ## @param apprepository.containerSecurityContext.runAsNonRoot Set AppRepository Controller container's Security Context runAsNonRoot
+  ## @param apprepository.containerSecurityContext.allowPrivilegeEscalation Set AppRepository Controller container's Security Context runAsNonRoot
+  ## @param apprepository.containerSecurityContext.readOnlyRootFilesystem Set AppRepository Controller container's Security Context runAsNonRoot
   ##
   containerSecurityContext:
     enabled: true
     runAsUser: 1001
+    runAsGroup: 10001
     runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
   ## @param apprepository.lifecycleHooks Custom lifecycle hooks for AppRepository Controller containers
   ##
   lifecycleHooks: {}
@@ -1242,12 +1260,18 @@ authProxy:
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
   ## @param authProxy.containerSecurityContext.enabled Enabled Auth Proxy containers' Security Context
   ## @param authProxy.containerSecurityContext.runAsUser Set Auth Proxy container's Security Context runAsUser
+  ## @param authProxy.containerSecurityContext.runAsGroup Set Auth Proxy container's Security Context runAsUser
   ## @param authProxy.containerSecurityContext.runAsNonRoot Set Auth Proxy container's Security Context runAsNonRoot
+  ## @param authProxy.containerSecurityContext.allowPrivilegeEscalation Set Auth Proxy container's Security Context runAsNonRoot
+  ## @param authProxy.containerSecurityContext.readOnlyRootFilesystem Set Auth Proxy container's Security Context runAsNonRoot
   ##
   containerSecurityContext:
     enabled: true
     runAsUser: 1001
+    runAsGroup: 10001
     runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
   ## OAuth2 Proxy containers' resource requests and limits
   ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
   ## @param authProxy.resources.limits.cpu The CPU limits for the OAuth2 Proxy container
@@ -1354,12 +1378,18 @@ pinnipedProxy:
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
   ## @param pinnipedProxy.containerSecurityContext.enabled Enabled Pinniped Proxy containers' Security Context
   ## @param pinnipedProxy.containerSecurityContext.runAsUser Set Pinniped Proxy container's Security Context runAsUser
+  ## @param pinnipedProxy.containerSecurityContext.runAsGroup Set Pinniped Proxy container's Security Context runAsUser
   ## @param pinnipedProxy.containerSecurityContext.runAsNonRoot Set Pinniped Proxy container's Security Context runAsNonRoot
+  ## @param pinnipedProxy.containerSecurityContext.allowPrivilegeEscalation Set Pinniped Proxy container's Security Context runAsNonRoot
+  ## @param pinnipedProxy.containerSecurityContext.readOnlyRootFilesystem Set Pinniped Proxy container's Security Context runAsNonRoot
   ##
   containerSecurityContext:
     enabled: true
     runAsUser: 1001
+    runAsGroup: 10001
     runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
   ## Pinniped Proxy containers' resource requests and limits
   ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
   ## @param pinnipedProxy.resources.limits.cpu The CPU limits for the Pinniped Proxy container
@@ -1657,16 +1687,22 @@ kubeappsapis:
   podSecurityContext:
     enabled: true
     fsGroup: 1001
-  ## Configure Container Security Context (only main container)
+  ## Configure Container Security Context for Kubeapps APIs
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
   ## @param kubeappsapis.containerSecurityContext.enabled Enabled KubeappsAPIs containers' Security Context
   ## @param kubeappsapis.containerSecurityContext.runAsUser Set KubeappsAPIs container's Security Context runAsUser
+  ## @param kubeappsapis.containerSecurityContext.runAsGroup Set KubeappsAPIs container's Security Context runAsGroup
   ## @param kubeappsapis.containerSecurityContext.runAsNonRoot Set KubeappsAPIs container's Security Context runAsNonRoot
+  ## @param kubeappsapis.containerSecurityContext.allowPrivilegeEscalation Set KubeappsAPIs container's Security Context allowPrivilegeEscalation
+  ## @param kubeappsapis.containerSecurityContext.readOnlyRootFilesystem Set KubeappsAPIs container's Security Context readOnlyRootFilesystem
   ##
   containerSecurityContext:
     enabled: true
     runAsUser: 1001
+    runAsGroup: 10001
     runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
   ## Configure extra options for KubeappsAPIs containers' liveness and readiness probes
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
   ## @param kubeappsapis.livenessProbe.enabled Enable livenessProbe
@@ -1680,7 +1716,7 @@ kubeappsapis:
   ##
   livenessProbe:
     enabled: true
-    initialDelaySeconds: 60
+    initialDelaySeconds: 10
     periodSeconds: 10
     timeoutSeconds: 5
     failureThreshold: 6
@@ -1694,7 +1730,7 @@ kubeappsapis:
   ##
   readinessProbe:
     enabled: true
-    initialDelaySeconds: 0
+    initialDelaySeconds: 5
     periodSeconds: 10
     timeoutSeconds: 5
     failureThreshold: 6

cmd/apprepository-controller/cmd/root.go

@@ -85,13 +85,12 @@ func setFlags(c *cobra.Command) {
 	c.Flags().StringVar(&serveOpts.DBSecretKey, "database-secret-key", "postgresql-root-password", "Kubernetes secret key used for database credentials")
 	c.Flags().StringVar(&serveOpts.UserAgentComment, "user-agent-comment", "", "UserAgent comment used during outbound requests")
 	c.Flags().StringVar(&serveOpts.Crontab, "crontab", "*/10 * * * *", "CronTab to specify schedule")
-	// TTLSecondsAfterFinished specifies the number of seconds a sync job should live after finishing.
-	// The support for this is currently beta in K8s (v1.21), older versions require a feature gate being set to enable it.
-	// See https://kubernetes.io/docs/concepts/workloads/controllers/job/#clean-up-finished-jobs-automatically
-	c.Flags().StringVar(&serveOpts.TTLSecondsAfterFinished, "ttl-lifetime-afterfinished-job", "3600", "Lifetime limit after which the resource Jobs are deleted expressed in seconds by default is 3600 (1h) ")
+	c.Flags().StringVar(&serveOpts.TTLSecondsAfterFinished, "ttl-lifetime-afterfinished-job", "3600", "Lifetime limit after which the resource Jobs are deleted expressed in seconds by default is 3600 (1h)")
 	c.Flags().StringSliceVar(&serveOpts.CustomAnnotations, "custom-annotations", []string{""}, "optional annotations to be passed to the generated CronJobs, Jobs and Pods objects. For example: my/annotation=foo")
 	c.Flags().StringSliceVar(&serveOpts.CustomLabels, "custom-labels", []string{""}, "optional labels to be passed to the generated CronJobs, Jobs and Pods objects. For example: my/label=foo")
 	c.Flags().BoolVar(&serveOpts.V1Beta1CronJobs, "v1-beta1-cron-jobs", false, "Defaults to false and so using the v1 cronjobs.")
+	c.Flags().StringVar(&serveOpts.DefaultPodSecContext, "default-pod-security-context", "", "Default Pod Security Context to use for the cleanup jobs and sync jobs (unless overridden by the CRD)")
+	c.Flags().StringVar(&serveOpts.DefaultContainerSecContext, "default-container-security-context", "", "Default Container Security Context to use for the cleanup jobs and sync jobs (unless overridden by the CRD)")
 }
 
 // initConfig reads in config file and ENV variables if set.