feat: run as non-root

charts/testkube-enterprise/Chart.yaml

@@ -20,7 +20,7 @@ dependencies:
     repository: file://../testkube-worker-service
   - name: testkube
     alias: testkube-agent
-    version: 2.1.122
+    version: 2.1.123
     repository: https://kubeshop.github.io/helm-charts
     condition: testkube-agent.enabled
   - name: dex

charts/testkube-enterprise/values.yaml

@@ -120,7 +120,16 @@ sharedSecretGenerator:
   # -- Toggle whether to enable the Shared Secret Generator Job
   enabled: false
   # -- Pod Security Context for the Shared Secret Generator Job
-  securityContext: {}
+  securityContext:
+    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    fsGroup: 1001
+    capabilities:
+      drop: ["ALL"]
+    seccompProfile:
+      type: RuntimeDefault
   # -- Container Security Context for the Shared Secret Generator Job
   containerSecurityContext: {}
   # -- Resources for the Shared Secret Generator Job
@@ -188,6 +197,7 @@ minio:
   affinity: {}
   # MinIO Pod Security Context
   podSecurityContext:
+    runAsNonRoot: true
     # -- Toggle whether to render the pod security context
     enabled: true
     fsGroup: 1001
@@ -250,8 +260,11 @@ testkube-cloud-api:
     repository: kubeshop/testkube-migration
     tag: 1.11.6
   # -- Pod Security Context
-  podSecurityContext: {}
-  # fsGroup: 2000
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    fsGroup: 1001
   # -- Container Security Context
   securityContext:
     readOnlyRootFilesystem: true
@@ -449,8 +462,11 @@ testkube-cloud-ui:
     repository: kubeshop/testkube-enterprise-ui
     tag: 2.8.3
   # -- Pod Security Context
-  podSecurityContext: {}
-  # fsGroup: 2000
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    fsGroup: 1001
   # -- Container Security Context
   securityContext:
     readOnlyRootFilesystem: true
@@ -502,8 +518,11 @@ testkube-worker-service:
     repository: kubeshop/testkube-enterprise-worker-service
     tag: 1.11.6
   # -- Pod Security Context
-  podSecurityContext: {}
-  # fsGroup: 2000
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    fsGroup: 1001
   # -- Container Security Context
   securityContext:
     readOnlyRootFilesystem: true
@@ -531,6 +550,12 @@ nats:
   # -- Toggle whether to install NATS
   enabled: true
   fullnameOverride: testkube-enterprise-nats
+  # -- NATS Pod Security Context
+  podSecurityContext:
+      runAsNonRoot: true
+      runAsUser: 1001
+      runAsGroup: 1001
+      fsGroup: 1001
   # Uncomment if you want to provide a different image or pullPolicy
   container:
     merge:
@@ -685,7 +710,11 @@ mongodb:
   tolerations: []
   # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
   # -- MongoDB Pod Security Context
-  podSecurityContext: {}
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    fsGroup: 1001
   # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
   # -- Security Context for MongoDB container
   containerSecurityContext: {}
@@ -775,7 +804,11 @@ dex:
   securityContext: {}
   # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
   # -- Dex Pod Security Context
-  podSecurityContext: {}
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 1001
+    runAsGroup: 1001
+    fsGroup: 1001
   # -- Set resources requests and limits for Dex Service
   resources:
     requests: