Configure security contexts (#55)

* allow pod security contexts to be configured in values.yaml
* bump chart version
* fix value type on postgres extraEnvs

Signed-off-by: Brady Todhunter <[email protected]>

stable/anchore-engine/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: anchore-engine
-version: 1.8.0
+version: 1.8.1
 appVersion: 0.8.0
 description: Anchore container analysis and policy evaluation engine service
 keywords:

stable/anchore-engine/charts/postgresql/values.yaml

@@ -157,4 +157,4 @@ podAnnotations: {}
 # strategy: {}
 
 # Define custom environment variables to pass to the image here
-extraEnv: {}
+extraEnv: []

stable/anchore-engine/templates/analyzer_deployment.yaml

@@ -40,9 +40,10 @@ spec:
         {{ toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      {{- with .Values.anchoreGlobal.securityContext }}
       securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
     {{- if .Values.anchoreEnterpriseGlobal.enabled }}
       imagePullSecrets:
       - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }}

stable/anchore-engine/templates/api_deployment.yaml

@@ -40,9 +40,10 @@ spec:
         {{ toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      {{- with .Values.anchoreGlobal.securityContext }}
       securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
     {{- if .Values.anchoreEnterpriseGlobal.enabled }}
       imagePullSecrets:
       - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }}

stable/anchore-engine/templates/catalog_deployment.yaml

@@ -40,9 +40,10 @@ spec:
         {{ toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      {{- with .Values.anchoreGlobal.securityContext }}
       securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
     {{- if .Values.anchoreEnterpriseGlobal.enabled }}
       imagePullSecrets:
       - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }}

stable/anchore-engine/templates/engine_upgrade_job.yaml

@@ -19,9 +19,10 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name | quote }}
         helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
     spec:
+      {{- with .Values.anchoreGlobal.securityContext }}
       securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
      {{- if .Values.anchoreEnterpriseGlobal.enabled }}
       imagePullSecrets:
       - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }}

stable/anchore-engine/templates/enterprise_feeds_deployment.yaml

@@ -41,9 +41,10 @@ spec:
         {{ toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      {{- with .Values.anchoreGlobal.securityContext }}
       securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
       imagePullSecrets:
       - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }}
       containers:

stable/anchore-engine/templates/enterprise_ui_deployment.yaml

@@ -45,9 +45,10 @@ spec:
         {{ toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      {{- with .Values.anchoreGlobal.securityContext }}
       securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
       imagePullSecrets:
       - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }}
       containers:

stable/anchore-engine/templates/enterprise_upgrade_job.yaml

@@ -20,9 +20,10 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name | quote }}
         helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
     spec:
+      {{- with .Values.anchoreGlobal.securityContext }}
       securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
       imagePullSecrets:
       - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }}
       restartPolicy: Never

stable/anchore-engine/templates/policy_engine_deployment.yaml

@@ -40,9 +40,10 @@ spec:
         {{ toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      {{- with .Values.anchoreGlobal.securityContext }}
       securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
     {{- if .Values.anchoreEnterpriseGlobal.enabled }}
       imagePullSecrets:
       - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }}

stable/anchore-engine/templates/simplequeue_deployment.yaml

@@ -40,9 +40,10 @@ spec:
         {{ toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      {{- with .Values.anchoreGlobal.securityContext }}
       securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
     {{- if .Values.anchoreEnterpriseGlobal.enabled }}
       imagePullSecrets:
       - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }}

stable/anchore-engine/values.yaml

@@ -123,6 +123,12 @@ anchoreGlobal:
   # Certs and keys should be added using the file name the certificate is stored at. This secret will be mounted to /home/anchore/certs.
   certStoreSecretName: Null
 
+  # Specify your pod securityContext here, by default the anchore images utilize the user/group 'anchore' using uid/gid 1000
+  # To disable this securityContext comment out `runAsUser` & `runAsGroup`
+  securityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+
   ###
   # Start of General Anchore Engine Configurations (populates /config/config.yaml)
   ###