chore: add container security context (#41)

* chore: add container security context * trigger build * fix vulnerabilities * upgrade schema-registry version
hypertrace · Jun 27, 2024 · 3010096 · 3010096
1 parent ccc4e8c
commit 3010096
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 23 deletions.
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,19 +1,13 @@
 FROM ubuntu:22.04 AS install
 
 # Use latest stable release here
-ENV CONFLUENT_VERSION=7.5.2
+ENV CONFLUENT_VERSION=7.5.4
 
 USER root
 WORKDIR /install
 COPY install.sh /tmp/
 RUN apt-get update && apt-get install curl -y
 RUN /tmp/install.sh && rm /tmp/install.sh
-RUN rm /install/share/java/schema-registry/zookeeper-3.6.3.jar /install/share/java/schema-registry/zookeeper-jute-3.6.3.jar && \
-    rm /install/share/java/kafka/zookeeper-3.6.4.jar /install/share/java/kafka/zookeeper-jute-3.6.4.jar && \
-    curl -sSL -o /install/share/java/schema-registry/zookeeper-3.8.3.jar https://repo1.maven.org/maven2/org/apache/zookeeper/zookeeper/3.8.3/zookeeper-3.8.3.jar && \
-    curl -sSL -o /install/share/java/schema-registry/zookeeper-jute-3.8.3.jar https://repo1.maven.org/maven2/org/apache/zookeeper/zookeeper-jute/3.8.3/zookeeper-jute-3.8.3.jar && \
-    cp /install/share/java/schema-registry/zookeeper-3.8.3.jar /install/share/java/kafka/zookeeper-3.8.3.jar && \
-    cp /install/share/java/schema-registry/zookeeper-jute-3.8.3.jar /install/share/java/kafka/zookeeper-jute-3.8.3.jar
 
 # Share the same base image to reduce layers
 FROM hypertrace/java:11

diff --git a/helm/templates/cronjob.yaml b/helm/templates/cronjob.yaml
@@ -26,13 +26,13 @@ spec:
         metadata:
           labels:
             app: {{ include "schema-registry.name" . }}-backup
-          {{- with .Values.backup.podLabels }}
+            {{- with .Values.backup.podLabels }}
             {{- toYaml . | nindent 12 }}
-          {{- end }}
-        {{- if .Values.backup.podAnnotations }}
+            {{- end }}
+          {{- if .Values.backup.podAnnotations }}
           annotations:
             {{- toYaml .Values.backup.podAnnotations | nindent 12 }}
-        {{- end }}
+          {{- end }}
         spec:
           restartPolicy: OnFailure
           containers:
@@ -43,6 +43,8 @@ spec:
                 - "/bin/bash"
                 - "-cx"
                 - |
+                  cd /backup
+                  export HOME=/backup
                   timestamp=$(date +%Y-%m-%d-%H-%M-%S)
                   month=${timestamp:0:7}
                   unset JMX_PORT KAFKA_OPTS KAFKA_HEAP_OPTS KAFKA_LOG4J_OPTS
@@ -60,6 +62,10 @@ spec:
               env:
                 - name: CLUSTER_NAME
                   value: {{ .Values.backup.cluster }}
+                - name: KAFKA_BOOTSTRAP_SERVERS
+                  value: {{ template "schema-registry.kafka.bootstrapServers" . }}
+                - name: KAFKA_TOPIC
+                  value: {{ .Values.backup.topic }}
                 {{- if .Values.backup.gcloud }}
                 - name: BUCKET
                   value: {{ .Values.backup.gcloud.bucket }}
@@ -70,19 +76,30 @@ spec:
                 - name: S3_BUCKET
                   value: {{ .Values.backup.aws.bucket }}
                 {{- end }}
-                - name: KAFKA_BOOTSTRAP_SERVERS
-                  value: {{ template "schema-registry.kafka.bootstrapServers" . }}
-                - name: KAFKA_TOPIC
-                  value: {{ .Values.backup.topic }}
-              {{- if .Values.backup.gcloud }}
+              {{- with .Values.backup.resources }}
+              resources:
+                {{- toYaml . | nindent 16 }}
+              {{- end }}
+              {{- with .Values.backup.containerSecurityContext }}
+              securityContext:
+                {{- toYaml . | nindent 16 }}
+              {{- end }}
               volumeMounts:
+                - name: backup-location
+                  mountPath: "/backup"
+                {{- if .Values.backup.gcloud }}
                 - name: gcs-iam-secret
                   mountPath: "/accounts"
+                {{- end }}
           volumes:
+            - name: backup-location
+              emptyDir: {}
+            {{- if .Values.backup.gcloud }}
             - name: gcs-iam-secret
               secret:
                 secretName: {{ .Values.backup.gcloud.secretName }}
-              {{- end }}
+            {{- end }}
+          enableServiceLinks: false
           {{- if .Values.backup.imagePullSecrets }}
           imagePullSecrets:
             {{- toYaml .Values.imagePullSecrets | nindent 12 }}
@@ -95,7 +112,7 @@ spec:
           nodeSelector:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.backup.securityContext }}
+          {{- with .Values.backup.podSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}

diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml
@@ -41,6 +41,10 @@ spec:
               containerPort: {{ .Values.prometheus.jmx.port }}
           resources:
             {{- toYaml .Values.prometheus.jmx.resources | nindent 12 }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - name: jmx-config
               mountPath: /etc/jmx-schema-registry
@@ -94,7 +98,7 @@ spec:
             - name: JMX_PORT
               value: {{ .Values.jmx.port | quote }}
             {{- end }}
-          {{- with .Values.securityContext }}
+          {{- with .Values.containerSecurityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -105,6 +109,7 @@ spec:
           configMap:
             name: {{ template "schema-registry.fullname" . }}-jmx-configmap
       {{- end }}
+      enableServiceLinks: false
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml .Values.imagePullSecrets | nindent 8 }}

diff --git a/helm/values.yaml b/helm/values.yaml
@@ -79,7 +79,7 @@ podSecurityContext:
   seccompProfile:
     type: RuntimeDefault
 
-securityContext:
+containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:
     drop:
@@ -124,12 +124,15 @@ prometheus:
     enabled: false
     image:
       repository: hypertrace/prometheus-jmx-exporter
-      tag: 0.1.3
+      tag: 0.1.7
       pullPolicy: IfNotPresent
     port: 5560
     resources:
+      limits:
+        cpu: "0.5"
+        memory: "512Mi"
       requests:
-        cpu: "0.25"
+        cpu: "0.1"
         memory: "256Mi"
 
 backup:
@@ -144,6 +147,7 @@ backup:
     pullPolicy: "IfNotPresent"
   imagePullSecrets: []
   cluster: "test"
+  resources: {}
   gcloud: {}
   # GCS Bucket Configuration
   # gcloud:
@@ -155,7 +159,18 @@ backup:
   #   bucket: bucketName/backups
   affinity: {}
   nodeSelector: {}
-  securityContext: {}
+  podSecurityContext: {}
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
+    readOnlyRootFilesystem: true
+    seccompProfile:
+      type: RuntimeDefault
   tolerations: []
   podAnnotations: {}
   podLabels: {}