diff --git a/charts/testkube-enterprise/Chart.yaml b/charts/testkube-enterprise/Chart.yaml index e6e31da4e..f93609e50 100644 --- a/charts/testkube-enterprise/Chart.yaml +++ b/charts/testkube-enterprise/Chart.yaml @@ -20,7 +20,7 @@ dependencies: repository: file://../testkube-worker-service - name: testkube alias: testkube-agent - version: 2.1.122 + version: 2.1.123 repository: https://kubeshop.github.io/helm-charts condition: testkube-agent.enabled - name: dex diff --git a/charts/testkube-enterprise/values.yaml b/charts/testkube-enterprise/values.yaml index ea50861dd..5d522c39a 100644 --- a/charts/testkube-enterprise/values.yaml +++ b/charts/testkube-enterprise/values.yaml @@ -120,7 +120,16 @@ sharedSecretGenerator: # -- Toggle whether to enable the Shared Secret Generator Job enabled: false # -- Pod Security Context for the Shared Secret Generator Job - securityContext: {} + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + capabilities: + drop: ["ALL"] + seccompProfile: + type: RuntimeDefault # -- Container Security Context for the Shared Secret Generator Job containerSecurityContext: {} # -- Resources for the Shared Secret Generator Job @@ -188,6 +197,7 @@ minio: affinity: {} # MinIO Pod Security Context podSecurityContext: + runAsNonRoot: true # -- Toggle whether to render the pod security context enabled: true fsGroup: 1001 @@ -250,8 +260,11 @@ testkube-cloud-api: repository: kubeshop/testkube-migration tag: 1.11.6 # -- Pod Security Context - podSecurityContext: {} - # fsGroup: 2000 + podSecurityContext: + runAsNonRoot: true + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 # -- Container Security Context securityContext: readOnlyRootFilesystem: true @@ -449,8 +462,11 @@ testkube-cloud-ui: repository: kubeshop/testkube-enterprise-ui tag: 2.8.3 # -- Pod Security Context - podSecurityContext: {} - # fsGroup: 2000 + podSecurityContext: + runAsNonRoot: true + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 # -- Container Security Context securityContext: readOnlyRootFilesystem: true @@ -502,8 +518,11 @@ testkube-worker-service: repository: kubeshop/testkube-enterprise-worker-service tag: 1.11.6 # -- Pod Security Context - podSecurityContext: {} - # fsGroup: 2000 + podSecurityContext: + runAsNonRoot: true + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 # -- Container Security Context securityContext: readOnlyRootFilesystem: true @@ -531,6 +550,12 @@ nats: # -- Toggle whether to install NATS enabled: true fullnameOverride: testkube-enterprise-nats + # -- NATS Pod Security Context + podSecurityContext: + runAsNonRoot: true + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 # Uncomment if you want to provide a different image or pullPolicy container: merge: @@ -685,7 +710,11 @@ mongodb: tolerations: [] # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod # -- MongoDB Pod Security Context - podSecurityContext: {} + podSecurityContext: + runAsNonRoot: true + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container # -- Security Context for MongoDB container containerSecurityContext: {} @@ -775,7 +804,11 @@ dex: securityContext: {} # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod # -- Dex Pod Security Context - podSecurityContext: {} + podSecurityContext: + runAsNonRoot: true + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 # -- Set resources requests and limits for Dex Service resources: requests: