Checkov Findings and Gitlab Helm Chart Deploy Variables

d2528f58 · Marc Burnie [AWS] · d3039b78 · d2528f58 · d2528f58
Commit d2528f58 authored 2 years ago by Marc Burnie [AWS]
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
 variables:
  AWS_BUILD_SUBDIR: provider/notification-aws/build-aws
  AWS_TEST_SUBDIR: testing/notification-test-aws
+  AWS_CHART_SUBDIR: devops/aws/chart
  AWS_SERVICE: notification
+  AWS_SERVICE_GATEWAY: osdu-gateway
  AWS_ENVIRONMENT: dev
  AWS_DEPLOY_TARGET: EKS
  AWS_EKS_DEPLOYMENT_NAME: os-notification

--- a/devops/aws/chart/values.yaml
+++ b/devops/aws/chart/values.yaml
 # Service Config
 image: __CONTAINER__
-imagePullPolicy: IfNotPresent
+imagePullPolicy: Always
 service:
  type: ClusterIP
  port: 8080
@@ -27,7 +27,8 @@ environmentVariables:
    value: "http://os-entitlements:8080"
  - name: REGISTER_BASE_URL
    value: http://os-register:8080
-podAnnotations: {}
+podAnnotations: 
+  seccomp.security.alpha.kubernetes.io/pod: "runtime/default"
 # Resource Config
 replicaCount: 1
@@ -60,13 +61,15 @@ cors:
    - Data-Partition-Id
    - Correlation-Id
    - Content-Type
-securityContext: {}
+securityContext: 
-  # capabilities:
+  runAsUser: 10001
-  #   drop:
+  runAsNonRoot: true
-  #   - ALL
+  readOnlyRootFilesystem: false
-  # readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
-  # runAsNonRoot: true
+  capabilities:
-  # runAsUser: 1000
+    drop:
+    - ALL
 allowedPrincipals:
  - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
  - cluster.local/ns/aws-binary-dms/sa/binary-dms