fix: improve kube pod security (#4367)

charts/ftl/templates/_helpers.tpl

@@ -120,4 +120,17 @@ readinessProbe:
   successThreshold: 1
   failureThreshold: 15
   {{- end }}
+{{- end -}}
+{{- define "ftl.securityContext" -}}
+securityContext:
+  runAsNonRoot: true
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+      drop:
+          - "ALL"
+  seccompProfile:
+    type: RuntimeDefault
+  runAsUser: 1000
+  runAsGroup: 1000
 {{- end -}}

charts/ftl/templates/admin-deployment.yaml

@@ -69,5 +69,6 @@ spec:
               protocol: TCP
               hostPort: {{ .Values.admin.port }}
           {{- include "ftl.healthProbes" .Values.admin | nindent 10 }}
+          {{- include "ftl.securityContext" .Values.timeline | nindent 10 }}
       {{- include "ftl.commonPodConfig" .Values.admin | nindent 6 }}
 

charts/ftl/templates/console-deployment.yaml

@@ -66,6 +66,7 @@ spec:
               protocol: {{ .protocol | default "TCP" }}
             {{- end }}
           {{- include "ftl.healthProbes" .Values.console | nindent 10 }}
+          {{- include "ftl.securityContext" .Values.timeline | nindent 10 }}
       {{- include "ftl.commonPodConfig" .Values.console | nindent 6 }}
 
 {{- end }}

charts/ftl/templates/controller-deployment.yaml

@@ -79,4 +79,5 @@ spec:
               containerPort: {{ .Values.controller.port }}
               protocol: "TCP"
           {{- include "ftl.healthProbes" .Values.controller | nindent 10 }}
+          {{- include "ftl.securityContext" .Values.timeline | nindent 10 }}
     {{- include "ftl.commonPodConfig" .Values.controller | nindent 6 }}

charts/ftl/templates/cron-deployment.yaml

@@ -43,4 +43,5 @@ spec:
               value: "http://{{ .Values.timeline.service.name }}:{{ .Values.timeline.service.port }}"
             - name: FTL_SCHEMA_ENDPOINT
               value: "http://ftl-schema:8892"
+          {{- include "ftl.securityContext" .Values.timeline | nindent 10 }}
       {{- include "ftl.commonPodConfig" .Values.cron | nindent 6 }}

charts/ftl/templates/http-ingress-deployment.yaml

@@ -61,6 +61,7 @@ spec:
               protocol: {{ .protocol | default "TCP" }}
             {{- end }}
           {{- include "ftl.healthProbes" .Values.ingress | nindent 10 }}
+          {{- include "ftl.securityContext" .Values.timeline | nindent 10 }}
       {{- include "ftl.commonPodConfig" .Values.ingress | nindent 6 }}
 
 

charts/ftl/templates/lease-deployment.yaml

@@ -62,4 +62,5 @@ spec:
               hostPort: {{ .Values.lease.port }}
               protocol: "TCP"
           {{- include "ftl.healthProbes" .Values.lease | nindent 10 }}
+          {{- include "ftl.securityContext" .Values.timeline | nindent 10 }}
       {{- include "ftl.commonPodConfig" .Values.lease | nindent 6 }}

charts/ftl/templates/provisioner-deployment.yaml

@@ -52,6 +52,7 @@ spec:
               name: config
             - mountPath: /working
               name: working
+          {{- include "ftl.securityContext" .Values.timeline | nindent 10 }}
       volumes:
         - name: config
           configMap:

charts/ftl/templates/runner.yaml

@@ -92,41 +92,14 @@ data:
                 - name: https
                   containerPort: {{ .Values.runner.port }}
                   protocol: "TCP"
-              readinessProbe:
-                {{- if .Values.runner.readinessProbe }}
-                {{- toYaml .Values.runner.readinessProbe | nindent 16 }}
-                {{- else }}
-                httpGet:
-                  path: /healthz
-                  port: {{ .Values.runner.port }}
-                initialDelaySeconds: 1
-                periodSeconds: 2
-                timeoutSeconds: 2
-                successThreshold: 1
-                failureThreshold: 15
-                {{- end }}
+              {{- include "ftl.healthProbes" .Values.timeline | nindent 14 }}
               volumeMounts:
                 - mountPath: /home/ubuntu/.cache
                   name: cache
           volumes:
             - name: cache
               emptyDir: {}
-          {{- if .Values.runner.nodeSelector }}
-          nodeSelector:
-            {{- toYaml .Values.runner.nodeSelector | nindent 12 }}
-          {{- end }}
-          {{- if .Values.runner.affinity }}
-          affinity:
-            {{- toYaml .Values.runner.affinity | nindent 12 }}
-          {{- end }}
-          {{- if .Values.runner.topologySpreadConstraints }}
-          topologySpreadConstraints:
-            {{- toYaml .Values.runner.topologySpreadConstraints | nindent 12 }}
-          {{- end }}
-          {{- if .Values.runner.tolerations }}
-          tolerations:
-            {{- toYaml .Values.runner.tolerations | nindent 12 }}
-          {{- end }}
+      {{- include "ftl.commonPodConfig" .Values.runner | nindent 10 }}
   serviceAccountTemplate: |-
     apiVersion: v1
     kind: ServiceAccount

charts/ftl/templates/schema-deployment.yaml

@@ -80,6 +80,7 @@ spec:
               containerPort: {{ .Values.schema.services.raft.containerPort }}
               protocol: "TCP"
           {{- include "ftl.healthProbes" .Values.schema | nindent 10 }}
+          {{- include "ftl.securityContext" .Values.timeline | nindent 10 }}
       {{- include "ftl.commonPodConfig" .Values.schema | nindent 6 }}
 
   volumeClaimTemplates:

charts/ftl/templates/timeline-deployment.yaml

@@ -53,6 +53,7 @@ spec:
               containerPort: {{ .Values.timeline.port }}
               protocol: "TCP"
           {{- include "ftl.healthProbes" .Values.timeline | nindent 10 }}
+          {{- include "ftl.securityContext" .Values.timeline | nindent 10 }}
       {{- include "ftl.commonPodConfig" .Values.timeline | nindent 6 }}
 
 {{- end }}