From a32e691a739ff65238853db22e80b447c69e163d Mon Sep 17 00:00:00 2001
From: Marc Burnie <mburnie@amazon.com>
Date: Wed, 28 Sep 2022 16:56:08 +0000
Subject: [PATCH] Checkov Findings and Gitlab Helm Chart Deploy Variables
---
.gitlab-ci.yml | 2 ++
devops/aws/chart/values.yaml | 21 ++++++++++++---------
2 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index bfcf527f3..3461fe091 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -29,8 +29,10 @@ variables:
AWS_BUILD_SUBDIR: provider/schema-aws/build-aws
AWS_TEST_SUBDIR: testing/schema-test-core
+ AWS_CHART_SUBDIR: devops/aws/chart
AWS_DEPLOYMENTS_SUBDIR: deployments/scripts/aws
AWS_SERVICE: schema
+ AWS_SERVICE_GATEWAY: osdu-gateway
AWS_ENVIRONMENT: dev
AWS_MAVEN_TEST_COMMAND_OVERRIDE: verify
AWS_DEPLOY_TARGET: EKS
diff --git a/devops/aws/chart/values.yaml b/devops/aws/chart/values.yaml
index 4d195f1e3..fe2ef9915 100644
--- a/devops/aws/chart/values.yaml
+++ b/devops/aws/chart/values.yaml
@@ -1,6 +1,6 @@
# Service Config
image: __CONTAINER__
-imagePullPolicy: IfNotPresent
+imagePullPolicy: Always
service:
type: ClusterIP
port: 8080
@@ -26,7 +26,8 @@ environmentVariables:
value: "http://os-entitlements:8080"
- name: PARTITION_BASE_URL
value: http://os-partition:8080
-podAnnotations: {}
+podAnnotations:
+ seccomp.security.alpha.kubernetes.io/pod: "runtime/default"
# Resource Config
replicaCount: 1
@@ -57,13 +58,15 @@ cors:
- Data-Partition-Id
- Correlation-Id
- Content-Type
-securityContext: {}
- # capabilities:
- # drop:
- # - ALL
- # readOnlyRootFilesystem: true
- # runAsNonRoot: true
- # runAsUser: 1000
+securityContext:
+ runAsUser: 10001
+ runAsNonRoot: true
+ readOnlyRootFilesystem: false
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+
allowedPrincipals:
- cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
- cluster.local/ns/{{ .Release.Namespace }}/sa/os-dataset
--
GitLab