From 6f6014c9193c0fa8a7b6af7ce79eea27c52717b4 Mon Sep 17 00:00:00 2001
From: Julien Bouquillon <julien.bouquillon@sg.social.gouv.fr>
Date: Tue, 29 Aug 2023 22:12:18 +0200
Subject: [PATCH 1/2] fix(app): allow to override securityContext

---
 .../__snapshots__/app-simple-options.dev.yaml |  7 +++++
 .../app-simple-options.prod.yaml              |  7 +++++
 .../samples/app-simple-options/values.yaml    |  5 ++++
 .../charts/app/templates/deployment.yaml      |  8 ++++++
 plugins/contrib/charts/app/values.yaml        | 26 ++++++++++++-------
 5 files changed, 43 insertions(+), 10 deletions(-)

diff --git a/packages/kontinuous/tests/__snapshots__/app-simple-options.dev.yaml b/packages/kontinuous/tests/__snapshots__/app-simple-options.dev.yaml
index 2da8825225..88b8b85a2a 100644
--- a/packages/kontinuous/tests/__snapshots__/app-simple-options.dev.yaml
+++ b/packages/kontinuous/tests/__snapshots__/app-simple-options.dev.yaml
@@ -700,6 +700,11 @@ spec:
       annotations:
         kontinuous/deployment: test-app-simple-options-feature-branch-1-ffac537e6cbb-ze31pkw6
     spec:
+      securityContext:
+        fsGroup: 26
+        runAsGroup: 26
+        runAsNonRoot: true
+        runAsUser: 26
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -722,6 +727,8 @@ spec:
             claimName: docs
       containers:
         - image: harbor.fabrique.social.gouv.fr/test-app-simple-options/app:sha-ffac537e6cbbf934b08745a378932722df287a53
+          securityContext:
+            allowPrivilegeEscalation: false
           name: app
           ports:
             - containerPort: 3000
diff --git a/packages/kontinuous/tests/__snapshots__/app-simple-options.prod.yaml b/packages/kontinuous/tests/__snapshots__/app-simple-options.prod.yaml
index fb9da2d213..03dfd866b2 100644
--- a/packages/kontinuous/tests/__snapshots__/app-simple-options.prod.yaml
+++ b/packages/kontinuous/tests/__snapshots__/app-simple-options.prod.yaml
@@ -132,6 +132,11 @@ spec:
       annotations:
         kontinuous/deployment: test-app-simple-options-feature-branch-1-ffac537e6cbb-ze31pkw6
     spec:
+      securityContext:
+        fsGroup: 26
+        runAsGroup: 26
+        runAsNonRoot: true
+        runAsUser: 26
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -154,6 +159,8 @@ spec:
             claimName: docs
       containers:
         - image: harbor.fabrique.social.gouv.fr/test-app-simple-options/app:prod
+          securityContext:
+            allowPrivilegeEscalation: false
           name: app
           ports:
             - containerPort: 3000
diff --git a/packages/kontinuous/tests/samples/app-simple-options/values.yaml b/packages/kontinuous/tests/samples/app-simple-options/values.yaml
index ea82d62825..354768df6b 100644
--- a/packages/kontinuous/tests/samples/app-simple-options/values.yaml
+++ b/packages/kontinuous/tests/samples/app-simple-options/values.yaml
@@ -13,3 +13,8 @@ app:
     requests:
       cpu: 1
       memory: 10Mi
+  securityContext:
+    fsGroup: 26
+    runAsGroup: 26
+    runAsNonRoot: true
+    runAsUser: 26
diff --git a/plugins/contrib/charts/app/templates/deployment.yaml b/plugins/contrib/charts/app/templates/deployment.yaml
index 0d00d25b5f..c7e6992997 100644
--- a/plugins/contrib/charts/app/templates/deployment.yaml
+++ b/plugins/contrib/charts/app/templates/deployment.yaml
@@ -21,6 +21,10 @@ spec:
         application: {{ .Values.global.repositoryName }}
         namespace: {{ or .Values.namespace .Values.global.namespace }}
     spec:
+      {{- if .Values.securityContext }}
+      securityContext:
+        {{- tpl (.Values.securityContext | toYaml) . | nindent 8 }}
+      {{- end }}
       affinity:
         {{- include "contrib-helpers.anti-affinity" . | nindent 8}}
       initContainers:
@@ -42,6 +46,10 @@ spec:
           {{- else }}
           image: "{{ or .Values.registry .Values.global.registry }}{{ if (or .Values.imageProject .Values.global.imageProject) }}{{ (print "/" (or .Values.imageProject .Values.global.imageProject)) }}{{ end }}{{ if (or .Values.imageRepository .Values.global.imageRepository) }}{{ (print "/" (or .Values.imageRepository .Values.global.imageRepository)) }}{{ end }}{{ if .Values.imagePackage }}{{ (print "/" .Values.imagePackage) }}{{ end }}:{{ or .Values.imageTag .Values.global.imageTag }}"
           {{- end }}
+          {{- if .Values.securityContext }}
+          securityContext:
+            allowPrivilegeEscalation: false
+          {{- end }}
           {{- if .Values.entrypoint }}
           command:
             {{- tpl (.Values.entrypoint | toYaml) $ | nindent 12 }}
diff --git a/plugins/contrib/charts/app/values.yaml b/plugins/contrib/charts/app/values.yaml
index b9f3dc28e1..87637041e1 100644
--- a/plugins/contrib/charts/app/values.yaml
+++ b/plugins/contrib/charts/app/values.yaml
@@ -12,7 +12,7 @@ ttl:
 rancherProjectId:
 isProd: false
 isPreProd: false
-replicas: 
+replicas:
 containerPort: 3000
 servicePort: 80
 env: []
@@ -22,14 +22,14 @@ probesPath: /index.html
 livenessProbe:
 readinessProbe:
 startupProbe:
-lifecycle: 
+lifecycle:
 resources:
   limits:
-    cpu: 
+    cpu:
     memory:
   requests:
-    cpu: 
-    memory: 
+    cpu:
+    memory:
 autoscale:
   enabled: false
   minReplicas: 2
@@ -52,8 +52,14 @@ ingress:
 entrypoint:
 args: []
 antiAffinity:
-  enabled: 
-onChangedPaths: 
-onChangedAnnotate: 
-onChangedNeeds: 
-strategyType: RollingUpdate
\ No newline at end of file
+  enabled:
+onChangedPaths:
+onChangedAnnotate:
+onChangedNeeds:
+strategyType: RollingUpdate
+# https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.17.2/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext
+securityContext:
+#   fsGroup: 26
+#   runAsGroup: 26
+#   runAsNonRoot: true
+#   runAsUser: 26

From 732d4a5474b087a59bd98e566abcb5df96ebc5a9 Mon Sep 17 00:00:00 2001
From: Julien Bouquillon <julien.bouquillon@sg.social.gouv.fr>
Date: Tue, 29 Aug 2023 23:44:05 +0200
Subject: [PATCH 2/2] jsonschema

---
 plugins/contrib/charts/app/kontinuous.values.schema.json | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/plugins/contrib/charts/app/kontinuous.values.schema.json b/plugins/contrib/charts/app/kontinuous.values.schema.json
index 549f52db80..acaafd94ca 100644
--- a/plugins/contrib/charts/app/kontinuous.values.schema.json
+++ b/plugins/contrib/charts/app/kontinuous.values.schema.json
@@ -126,6 +126,10 @@
     "startupProbe": {
       "$ref": "https://raw.githubusercontent.com/ad-m/kubernetes-json-schema/master/master-standalone-strict/_definitions.json#/definitions/io.k8s.api.core.v1.Probe",
       "description": "StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes"
+    },
+    "securityContext": {
+      "$ref": "https://raw.githubusercontent.com/ad-m/kubernetes-json-schema/master/master-standalone-strict/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext",
+      "description": "Setup your securityContext to reduce security risks, see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"
     }
   }
 }