From 401f45bf8b71a0db62bcaf1b6f645931dd644f2e Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sat, 16 Sep 2023 00:34:08 +0200
Subject: [PATCH] feat(keycloak): Add security context required for PSS
restricted
---
charts/keycloak/Chart.yaml | 6 ++++--
charts/keycloak/README.md | 8 ++++----
.../tests/__snapshot__/snapshot_test.yaml.snap | 12 ++++++++----
charts/keycloak/values.yaml | 8 +++++---
4 files changed, 21 insertions(+), 13 deletions(-)
diff --git a/charts/keycloak/Chart.yaml b/charts/keycloak/Chart.yaml
index d26737bb1..3481cd75b 100644
--- a/charts/keycloak/Chart.yaml
+++ b/charts/keycloak/Chart.yaml
@@ -1,13 +1,15 @@
apiVersion: v2
name: keycloak
-description: (Alpha) A Helm chart for Keycloak on Kubernetes
+description: A Helm chart for Keycloak on Kubernetes
+annotations:
+ artifacthub.io/category: security
type: application
home: https://www.keycloak.org/
icon: https://www.keycloak.org/resources/images/keycloak_icon_512px.svg
sources:
- https://git.shivering-isles.com/shivering-isles/infrastructure-gitops
- https://github.com/keycloak/keycloak
-version: 0.7.2
+version: 0.7.3
# renovate: image=quay.io/keycloak/keycloak
appVersion: "22.0.3"
maintainers:
diff --git a/charts/keycloak/README.md b/charts/keycloak/README.md
index f8f3c9907..d1247b848 100644
--- a/charts/keycloak/README.md
+++ b/charts/keycloak/README.md
@@ -1,8 +1,8 @@
# keycloak
-  
+  
-(Alpha) A Helm chart for Keycloak on Kubernetes
+A Helm chart for Keycloak on Kubernetes
**Homepage:** <https://www.keycloak.org/>
@@ -60,7 +60,8 @@
| networkPolicy.create | bool | `false` | Creates a network policy for inifispan communication, does **not** take care of database or ingress communication |
| nodeSelector | object | `{}` | |
| podAnnotations | object | `{}` | |
-| podSecurityContext | object | `{}` | |
+| podSecurityContext.runAsNonRoot | bool | `true` | |
+| podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| replicaCount | int | `1` | |
| resources.limits.cpu | string | `"1"` | |
| resources.limits.memory | string | `"1.5Gi"` | |
@@ -68,7 +69,6 @@
| resources.requests.memory | string | `"1Gi"` | |
| securityContext.allowPrivilegeEscalation | bool | `false` | |
| securityContext.capabilities.drop[0] | string | `"ALL"` | |
-| securityContext.runAsNonRoot | bool | `true` | |
| service.port | int | `80` | |
| service.type | string | `"ClusterIP"` | |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
diff --git a/charts/keycloak/tests/__snapshot__/snapshot_test.yaml.snap b/charts/keycloak/tests/__snapshot__/snapshot_test.yaml.snap
index 4c87dd93c..20716378b 100644
--- a/charts/keycloak/tests/__snapshot__/snapshot_test.yaml.snap
+++ b/charts/keycloak/tests/__snapshot__/snapshot_test.yaml.snap
@@ -90,14 +90,16 @@ should match basic snapshot:
capabilities:
drop:
- ALL
- runAsNonRoot: true
startupProbe:
failureThreshold: 30
httpGet:
path: /health/live
port: http
periodSeconds: 10
- securityContext: {}
+ securityContext:
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
serviceAccountName: RELEASE-NAME-keycloak
2: |
apiVersion: v1
@@ -262,14 +264,16 @@ should match full snapshot:
capabilities:
drop:
- ALL
- runAsNonRoot: true
startupProbe:
failureThreshold: 30
httpGet:
path: /health/live
port: http
periodSeconds: 10
- securityContext: {}
+ securityContext:
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
serviceAccountName: RELEASE-NAME-keycloak
2: |
apiVersion: v1
diff --git a/charts/keycloak/values.yaml b/charts/keycloak/values.yaml
index 37627d5d2..7bcbf25e7 100644
--- a/charts/keycloak/values.yaml
+++ b/charts/keycloak/values.yaml
@@ -47,15 +47,17 @@ serviceAccount:
podAnnotations: {}
-podSecurityContext: {}
+podSecurityContext:
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
# fsGroup: 2000
securityContext:
+ allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
- allowPrivilegeEscalation: false
- runAsNonRoot: true
service:
type: ClusterIP
--
GitLab