Checkov Findings and Gitlab Helm Chart Deploy Variables

a41dedcf · Marc Burnie [AWS] · a94e656e · a41dedcf · a41dedcf
Commit a41dedcf authored 2 years ago by Marc Burnie [AWS]
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
 variables:
  AWS_BUILD_SUBDIR: provider/indexer-aws/build-aws
  AWS_TEST_SUBDIR: testing/indexer-test-aws
+  AWS_CHART_SUBDIR: devops/aws/chart
  AWS_SERVICE: indexer
+  AWS_SERVICE_GATEWAY: osdu-gateway
  AWS_ENVIRONMENT: dev
  AWS_DEPLOY_TARGET: EKS
  AWS_EKS_DEPLOYMENT_NAME: os-indexer

--- a/devops/aws/chart/values.yaml
+++ b/devops/aws/chart/values.yaml
 # Service Config
 image: __CONTAINER__
-imagePullPolicy: IfNotPresent
+imagePullPolicy: Always
 service:
  type: ClusterIP
  port: 8080
@@ -64,7 +64,8 @@ environmentVariables:
    value: "true"
  - name: PARAMETER_MOUNT_PATH
    value: "/mnt/params"
-podAnnotations: {}
+podAnnotations: 
+  seccomp.security.alpha.kubernetes.io/pod: "runtime/default"

 # Resource Config
 replicaCount: 1
@@ -83,13 +84,14 @@ autoscaling:

 # Security Config
 serviceAccountRole: arn:aws:iam::{{ .Values.global.accountID }}:role/osdu-{{ .Values.global.resourcePrefix }}-{{ .Values.global.region }}-{{ include "common.name" . }}
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+securityContext: 
+  runAsUser: 10001
+  runAsNonRoot: true
+  readOnlyRootFilesystem: false
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
 allowedPrincipals:
  - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
  - cluster.local/ns/{{ .Release.Namespace }}/sa/indexer-queue