diff --git a/charts/mastodon/Chart.yaml b/charts/mastodon/Chart.yaml
index a1ae9848167a3adf6cc4d96a84c9ab55e78a35ae..d207227667f313c11df0276ac7ad539374d98672 100644
--- a/charts/mastodon/Chart.yaml
+++ b/charts/mastodon/Chart.yaml
@@ -17,7 +17,7 @@ annotations:
- name: support
url: https://matrix.to/#/#mastodon-on-kubernetes:shivering-isles.com
type: application
-version: 6.3.3
+version: 7.0.0
# renovate: image=ghcr.io/mastodon/mastodon
appVersion: "v4.1.9"
diff --git a/charts/mastodon/README.md b/charts/mastodon/README.md
index 79db2c079bb4c25a741dfc6ad52e14faa812fd3b..4e708915ddb87abb9631b536b074c8e54af16b6e 100644
--- a/charts/mastodon/README.md
+++ b/charts/mastodon/README.md
@@ -1,6 +1,6 @@
# mastodon
-  
+  
Mastodon is a free, open-source social network server based on ActivityPub.
@@ -19,7 +19,7 @@ This unofficical Helm chart is maintained to the best of knowledge, with the lim
|------------|------|---------|
| https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami | elasticsearch | 19.11.1 |
| https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami | postgresql | 11.9.13 |
-| https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami | redis | 18.0.2 |
+| https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami | redis | 18.0.4 |
## Values
@@ -101,17 +101,17 @@ This unofficical Helm chart is maintained to the best of knowledge, with the lim
| mastodon.streaming.port | int | `4000` | |
| mastodon.streaming.replicas | int | `1` | Number of Streaming Pods running |
| mastodon.streaming.resources | Streaming Container | `{}` | Resources for Streaming Pods, overwrites .Values.resources |
-| mastodon.streaming.securityContext | Streaming Container | `nil` | Security Context for Streaming Pods, overwrites .Values.securityContext |
+| mastodon.streaming.securityContext | Streaming Container | `{"readOnlyRootFilesystem":true}` | Security Context for Streaming Pods, overwrites .Values.securityContext |
| mastodon.streaming.workers | int | `1` | this should be set manually since os.cpus() returns the number of CPUs on the node running the pod, which is unrelated to the resources allocated to the pod by k8s |
| mastodon.web.affinity | object | `{}` | Affinity for Web Pods, overwrites .Values.affinity |
| mastodon.web.podSecurityContext | object | `{}` | Pod Security Context for Web Pods, overwrites .Values.podSecurityContext |
| mastodon.web.port | int | `3000` | |
| mastodon.web.replicas | int | `1` | Number of Web Pods running |
| mastodon.web.resources | Web Container | `{}` | Resources for Web Pods, overwrites .Values.resources |
-| mastodon.web.securityContext | Web Container | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true}` | Security Context for Web Pods, overwrites .Values.securityContext |
+| mastodon.web.securityContext | Web Container | `{"readOnlyRootFilesystem":true}` | Security Context for Web Pods, overwrites .Values.securityContext |
| mastodon.web_domain | string | `nil` | Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described Example: mastodon.example.com |
| podAnnotations | object | `{}` | Kubernetes manages pods for jobs and pods for deployments differently, so you might need to apply different annotations to the two different sets of pods. The annotations set with podAnnotations will be added to all deployment-managed pods. |
-| podSecurityContext | object | `{"allowPrivilegeEscalation":false,"fsGroup":991,"runAsGroup":991,"runAsNonRoot":true,"runAsUser":991,"seccompProfile":{"type":"RuntimeDefault"}}` | https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75 if you manually change the UID/GID environment variables, ensure these values match: |
+| podSecurityContext | object | `{"fsGroup":991,"runAsGroup":991,"runAsNonRoot":true,"runAsUser":991,"seccompProfile":{"type":"RuntimeDefault"}}` | base securityContext on Pod-Level. Can be overwritten but more specific contexts. Used to match the Upstream UID/GID |
| postgresql.auth.database | string | `"mastodon_production"` | |
| postgresql.auth.existingSecret | string | `""` | |
| postgresql.auth.password | string | `""` | |
@@ -126,6 +126,7 @@ This unofficical Helm chart is maintained to the best of knowledge, with the lim
| redis.port | string | `"6379"` | port at which redis is available |
| redis.redisUrl | string | `nil` | redisUrl overwrites redis.host and redis.port. It allows to use sentinal redis installations |
| resources | object | `{}` | Default resources for all Deployments and jobs unless overwritten |
+| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | securityContext on Container-Level. Can be overwritten but more specific contexts. |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
diff --git a/charts/mastodon/templates/cronjob-media-remove.yaml b/charts/mastodon/templates/cronjob-media-remove.yaml
index fccd368a2deb80bbd7a7bd26a1e839d56bebf4f6..4707b631934339d20d05b3921eab96c57203e411 100644
--- a/charts/mastodon/templates/cronjob-media-remove.yaml
+++ b/charts/mastodon/templates/cronjob-media-remove.yaml
@@ -33,6 +33,10 @@ spec:
- rails
topologyKey: kubernetes.io/hostname
{{- end }}
+ {{- with .Values.podSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
volumes:
- name: assets
persistentVolumeClaim:
@@ -69,6 +73,10 @@ spec:
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
+ {{- with .Values.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 16 }}
+ {{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- name: assets
diff --git a/charts/mastodon/templates/deployment-sidekiq.yaml b/charts/mastodon/templates/deployment-sidekiq.yaml
index ec91a8621856b25547c3e8235c6100c27afd267b..486c2e4281a71e8747742cd5fd3af202e67cf927 100644
--- a/charts/mastodon/templates/deployment-sidekiq.yaml
+++ b/charts/mastodon/templates/deployment-sidekiq.yaml
@@ -38,7 +38,7 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "mastodon.serviceAccountName" $context }}
- {{- with (default $context.Values.podSecurityContext $context.Values.mastodon.sidekiq.podSecurityContext) }}
+ {{- with (deepCopy $context.Values.podSecurityContext | mergeOverwrite $context.Values.mastodon.sidekiq.podSecurityContext) }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
@@ -57,8 +57,10 @@ spec:
{{- end }}
containers:
- name: {{ $context.Chart.Name }}
+ {{- with (deepCopy $context.Values.securityContext | mergeOverwrite $context.Values.mastodon.sidekiq.securityContext ) }}
securityContext:
- {{- toYaml $context.Values.mastodon.sidekiq.securityContext | nindent 12 }}
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
image: "{{ $context.Values.image.repository }}:{{ $context.Values.image.tag | default $context.Chart.AppVersion }}"
imagePullPolicy: {{ $context.Values.image.pullPolicy }}
command:
diff --git a/charts/mastodon/templates/deployment-streaming.yaml b/charts/mastodon/templates/deployment-streaming.yaml
index 7c8bf15aca7bf025af6650344f4078266b40a7d5..746e411fa45d6be89fa8441c6c41d60895f9d839 100644
--- a/charts/mastodon/templates/deployment-streaming.yaml
+++ b/charts/mastodon/templates/deployment-streaming.yaml
@@ -28,13 +28,13 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "mastodon.serviceAccountName" . }}
- {{- with (default .Values.podSecurityContext .Values.mastodon.streaming.podSecurityContext) }}
+ {{- with (deepCopy .Values.podSecurityContext | mergeOverwrite .Values.mastodon.streaming.podSecurityContext) }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}-streaming
- {{- with (default .Values.securityContext .Values.mastodon.streaming.securityContext) }}
+ {{- with (deepCopy .Values.securityContext | mergeOverwrite .Values.mastodon.streaming.securityContext) }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
diff --git a/charts/mastodon/templates/deployment-web.yaml b/charts/mastodon/templates/deployment-web.yaml
index 2a19fad089383b4d31681cef2b0e6ccffe1f17b0..0ba5374dbd636c90b49186bc0039fcdb98a1c6bb 100644
--- a/charts/mastodon/templates/deployment-web.yaml
+++ b/charts/mastodon/templates/deployment-web.yaml
@@ -29,7 +29,7 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "mastodon.serviceAccountName" . }}
- {{- with (default .Values.podSecurityContext .Values.mastodon.web.podSecurityContext) }}
+ {{- with (deepCopy .Values.podSecurityContext | mergeOverwrite .Values.mastodon.web.podSecurityContext) }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
@@ -44,7 +44,7 @@ spec:
{{- end }}
containers:
- name: {{ .Chart.Name }}-web
- {{- with (default .Values.securityContext .Values.mastodon.web.securityContext) }}
+ {{- with (deepCopy .Values.securityContext | mergeOverwrite .Values.mastodon.web.securityContext) }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
diff --git a/charts/mastodon/templates/job-assets-precompile.yaml b/charts/mastodon/templates/job-assets-precompile.yaml
index fd33b587c62e8c005cbe9cacc62f04cc044b5179..f0604ced376dcbb6ae11f53fd54d57513ad69537 100644
--- a/charts/mastodon/templates/job-assets-precompile.yaml
+++ b/charts/mastodon/templates/job-assets-precompile.yaml
@@ -31,6 +31,10 @@ spec:
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
{{- end }}
+ {{- with .Values.podSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-assets-precompile
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -60,6 +64,10 @@ spec:
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
+ {{- with .Values.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- name: assets
diff --git a/charts/mastodon/templates/job-chewy-upgrade.yaml b/charts/mastodon/templates/job-chewy-upgrade.yaml
index 6ce8b69147873832f6d5b101d152fc4ec24fbbd5..dd8a8ad4c485b848ea763cc56afb481ae78470c4 100644
--- a/charts/mastodon/templates/job-chewy-upgrade.yaml
+++ b/charts/mastodon/templates/job-chewy-upgrade.yaml
@@ -32,6 +32,10 @@ spec:
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
{{- end }}
+ {{- with .Values.podSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-chewy-setup
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -61,6 +65,10 @@ spec:
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
+ {{- with .Values.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- name: assets
diff --git a/charts/mastodon/templates/job-create-admin.yaml b/charts/mastodon/templates/job-create-admin.yaml
index 5bf7839bab02b9952a3f72e359ca91a0ca894e23..9fba07addacd6a70c92941b7c38df66d8206bf49 100644
--- a/charts/mastodon/templates/job-create-admin.yaml
+++ b/charts/mastodon/templates/job-create-admin.yaml
@@ -32,6 +32,10 @@ spec:
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
{{- end }}
+ {{- with .Values.podSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-create-admin
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -66,6 +70,10 @@ spec:
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
+ {{- with .Values.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- name: assets
diff --git a/charts/mastodon/templates/job-db-migrate.yaml b/charts/mastodon/templates/job-db-migrate.yaml
index 390ec9db93529bff1cae6968aad007494310b001..830f5b5900ea8bddf0b75addeb2d8fa2785e096b 100644
--- a/charts/mastodon/templates/job-db-migrate.yaml
+++ b/charts/mastodon/templates/job-db-migrate.yaml
@@ -31,6 +31,10 @@ spec:
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
{{- end }}
+ {{- with .Values.podSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-db-migrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -60,6 +64,10 @@ spec:
{{- end }}
- name: "PORT"
value: {{ .Values.mastodon.web.port | quote }}
+ {{- with .Values.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- name: assets
diff --git a/charts/mastodon/templates/job-db-pre-migrate.yaml b/charts/mastodon/templates/job-db-pre-migrate.yaml
index 4f745ec358d0baf0a5fdebd03e64eec64bd9086f..f77a2525e81a7fef2bcd287e6a4dd110310c32c2 100644
--- a/charts/mastodon/templates/job-db-pre-migrate.yaml
+++ b/charts/mastodon/templates/job-db-pre-migrate.yaml
@@ -31,6 +31,10 @@ spec:
persistentVolumeClaim:
claimName: {{ template "mastodon.fullname" . }}-system
{{- end }}
+ {{- with .Values.podSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
containers:
- name: {{ include "mastodon.fullname" . }}-db-migrate
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -62,6 +66,10 @@ spec:
value: {{ .Values.mastodon.web.port | quote }}
- name: SKIP_POST_DEPLOYMENT_MIGRATIONS
value: "true"
+ {{- with .Values.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
{{- if (not .Values.mastodon.s3.enabled) }}
volumeMounts:
- name: assets
diff --git a/charts/mastodon/tests/30_pss_restricted_test.yaml b/charts/mastodon/tests/30_pss_restricted_test.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..1bef054cdcd9bf8772f82b51d7623efb19ee39be
--- /dev/null
+++ b/charts/mastodon/tests/30_pss_restricted_test.yaml
@@ -0,0 +1,36 @@
+suite: Pod Security Standards
+templates:
+ - deployment-sidekiq.yaml
+ - deployment-streaming.yaml
+ - deployment-web.yaml
+ - job-assets-precompile.yaml
+ - job-chewy-upgrade.yaml
+ - job-db-migrate.yaml
+ - job-db-pre-migrate.yaml
+tests:
+ - it: has allowPrivilegeEscalation set to false
+ values:
+ - mocks/dev.yaml
+ - mocks/sidekiq.yaml
+ asserts:
+ - equal:
+ path: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
+ value: false
+ - equal:
+ path: spec.template.spec.containers[0].securityContext.capabilities.drop[0]
+ value: ALL
+ - equal:
+ path: spec.template.spec.securityContext.runAsNonRoot
+ value: true
+ - equal:
+ path: spec.template.spec.securityContext.runAsUser
+ value: 991
+ - equal:
+ path: spec.template.spec.securityContext.runAsGroup
+ value: 991
+ - equal:
+ path: spec.template.spec.securityContext.fsGroup
+ value: 991
+ - equal:
+ path: spec.template.spec.securityContext.seccompProfile.type
+ value: RuntimeDefault
\ No newline at end of file
diff --git a/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap b/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
index f119198bfea3a5e75e3dce3f6a0bc8adbe39e555..b09d31f736afaffb718910e24ce792c09a16e92d 100644
--- a/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
@@ -109,14 +109,17 @@ should match basic snapshot:
imagePullPolicy: IfNotPresent
name: mastodon
resources: {}
- securityContext: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
securityContext:
- allowPrivilegeEscalation: false
fsGroup: 991
runAsGroup: 991
runAsNonRoot: true
diff --git a/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap b/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
index 8d0d152332bfbb20c3f51df5ea058c6664e15529..72f109d777892bc2e6efab68c87154cae761046a 100644
--- a/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
@@ -107,6 +107,9 @@ should match basic snapshot:
port: http
securityContext:
allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
readOnlyRootFilesystem: true
startupProbe:
failureThreshold: 30
@@ -120,7 +123,6 @@ should match basic snapshot:
- mountPath: /opt/mastodon/public/system
name: system
securityContext:
- allowPrivilegeEscalation: false
fsGroup: 991
runAsGroup: 991
runAsNonRoot: true
diff --git a/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap b/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
index 3bee04fc5c28a4c47020fcf042f050565ca617b7..bae0e7530d10b2674d047076035607016cbf0d7c 100644
--- a/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/80_subchart_redis_test.yaml.snap
@@ -67,14 +67,17 @@ should allow disabling redis auth:
imagePullPolicy: IfNotPresent
name: mastodon
resources: {}
- securityContext: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
securityContext:
- allowPrivilegeEscalation: false
fsGroup: 991
runAsGroup: 991
runAsNonRoot: true
@@ -150,8 +153,13 @@ should allow disabling redis auth:
httpGet:
path: /api/v1/streaming/health
port: streaming
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
securityContext:
- allowPrivilegeEscalation: false
fsGroup: 991
runAsGroup: 991
runAsNonRoot: true
@@ -225,6 +233,9 @@ should allow disabling redis auth:
port: http
securityContext:
allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
readOnlyRootFilesystem: true
startupProbe:
failureThreshold: 30
@@ -238,7 +249,6 @@ should allow disabling redis auth:
- mountPath: /opt/mastodon/public/system
name: system
securityContext:
- allowPrivilegeEscalation: false
fsGroup: 991
runAsGroup: 991
runAsNonRoot: true
diff --git a/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap b/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
index 277867b6175a4eb2fc078cd5ebd523474b4c9aec..a872391ce09782a2d19310e17497a5b3d31edfea 100644
--- a/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
@@ -90,12 +90,24 @@ should match basic snapshot:
image: ghcr.io/mastodon/mastodon:4.5.6
imagePullPolicy: IfNotPresent
name: RELEASE-NAME-mastodon-media-remove
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
restartPolicy: OnFailure
+ securityContext:
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
volumes:
- name: assets
persistentVolumeClaim:
@@ -177,14 +189,17 @@ should match basic snapshot:
imagePullPolicy: IfNotPresent
name: mastodon
resources: {}
- securityContext: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
securityContext:
- allowPrivilegeEscalation: false
fsGroup: 991
runAsGroup: 991
runAsNonRoot: true
@@ -265,8 +280,13 @@ should match basic snapshot:
httpGet:
path: /api/v1/streaming/health
port: streaming
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
securityContext:
- allowPrivilegeEscalation: false
fsGroup: 991
runAsGroup: 991
runAsNonRoot: true
@@ -345,6 +365,9 @@ should match basic snapshot:
port: http
securityContext:
allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
readOnlyRootFilesystem: true
startupProbe:
failureThreshold: 30
@@ -358,7 +381,6 @@ should match basic snapshot:
- mountPath: /opt/mastodon/public/system
name: system
securityContext:
- allowPrivilegeEscalation: false
fsGroup: 991
runAsGroup: 991
runAsNonRoot: true
@@ -454,12 +476,24 @@ should match basic snapshot:
image: ghcr.io/mastodon/mastodon:4.5.6
imagePullPolicy: IfNotPresent
name: RELEASE-NAME-mastodon-assets-precompile
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
restartPolicy: Never
+ securityContext:
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
volumes:
- name: assets
persistentVolumeClaim:
@@ -514,12 +548,24 @@ should match basic snapshot:
image: ghcr.io/mastodon/mastodon:4.5.6
imagePullPolicy: IfNotPresent
name: RELEASE-NAME-mastodon-chewy-setup
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
restartPolicy: Never
+ securityContext:
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
volumes:
- name: assets
persistentVolumeClaim:
@@ -579,12 +625,24 @@ should match basic snapshot:
image: ghcr.io/mastodon/mastodon:4.5.6
imagePullPolicy: IfNotPresent
name: RELEASE-NAME-mastodon-create-admin
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
restartPolicy: Never
+ securityContext:
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
volumes:
- name: assets
persistentVolumeClaim:
@@ -639,12 +697,24 @@ should match basic snapshot:
image: ghcr.io/mastodon/mastodon:4.5.6
imagePullPolicy: IfNotPresent
name: RELEASE-NAME-mastodon-db-migrate
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
restartPolicy: Never
+ securityContext:
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
volumes:
- name: assets
persistentVolumeClaim:
@@ -701,12 +771,24 @@ should match basic snapshot:
image: ghcr.io/mastodon/mastodon:4.5.6
imagePullPolicy: IfNotPresent
name: RELEASE-NAME-mastodon-db-migrate
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
restartPolicy: Never
+ securityContext:
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
volumes:
- name: assets
persistentVolumeClaim:
@@ -971,12 +1053,24 @@ should match basic snapshot without dependencies:
image: ghcr.io/mastodon/mastodon:4.5.6
imagePullPolicy: IfNotPresent
name: RELEASE-NAME-mastodon-media-remove
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
restartPolicy: OnFailure
+ securityContext:
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
volumes:
- name: assets
persistentVolumeClaim:
@@ -1058,14 +1152,17 @@ should match basic snapshot without dependencies:
imagePullPolicy: IfNotPresent
name: mastodon
resources: {}
- securityContext: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
securityContext:
- allowPrivilegeEscalation: false
fsGroup: 991
runAsGroup: 991
runAsNonRoot: true
@@ -1146,8 +1243,13 @@ should match basic snapshot without dependencies:
httpGet:
path: /api/v1/streaming/health
port: streaming
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
securityContext:
- allowPrivilegeEscalation: false
fsGroup: 991
runAsGroup: 991
runAsNonRoot: true
@@ -1226,6 +1328,9 @@ should match basic snapshot without dependencies:
port: http
securityContext:
allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
readOnlyRootFilesystem: true
startupProbe:
failureThreshold: 30
@@ -1239,7 +1344,6 @@ should match basic snapshot without dependencies:
- mountPath: /opt/mastodon/public/system
name: system
securityContext:
- allowPrivilegeEscalation: false
fsGroup: 991
runAsGroup: 991
runAsNonRoot: true
@@ -1335,12 +1439,24 @@ should match basic snapshot without dependencies:
image: ghcr.io/mastodon/mastodon:4.5.6
imagePullPolicy: IfNotPresent
name: RELEASE-NAME-mastodon-assets-precompile
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
restartPolicy: Never
+ securityContext:
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
volumes:
- name: assets
persistentVolumeClaim:
@@ -1400,12 +1516,24 @@ should match basic snapshot without dependencies:
image: ghcr.io/mastodon/mastodon:4.5.6
imagePullPolicy: IfNotPresent
name: RELEASE-NAME-mastodon-create-admin
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
restartPolicy: Never
+ securityContext:
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
volumes:
- name: assets
persistentVolumeClaim:
@@ -1460,12 +1588,24 @@ should match basic snapshot without dependencies:
image: ghcr.io/mastodon/mastodon:4.5.6
imagePullPolicy: IfNotPresent
name: RELEASE-NAME-mastodon-db-migrate
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
restartPolicy: Never
+ securityContext:
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
volumes:
- name: assets
persistentVolumeClaim:
@@ -1522,12 +1662,24 @@ should match basic snapshot without dependencies:
image: ghcr.io/mastodon/mastodon:4.5.6
imagePullPolicy: IfNotPresent
name: RELEASE-NAME-mastodon-db-migrate
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
volumeMounts:
- mountPath: /opt/mastodon/public/assets
name: assets
- mountPath: /opt/mastodon/public/system
name: system
restartPolicy: Never
+ securityContext:
+ fsGroup: 991
+ runAsGroup: 991
+ runAsNonRoot: true
+ runAsUser: 991
+ seccompProfile:
+ type: RuntimeDefault
volumes:
- name: assets
persistentVolumeClaim:
diff --git a/charts/mastodon/values.yaml b/charts/mastodon/values.yaml
index a1d06066915b3ec83fc2154c949dd5dfbb038ca7..db78da6ce089cc100c43f574ff8557082a2f36a7 100644
--- a/charts/mastodon/values.yaml
+++ b/charts/mastodon/values.yaml
@@ -164,6 +164,7 @@ mastodon:
podSecurityContext: {}
# -- (Streaming Container) Security Context for Streaming Pods, overwrites .Values.securityContext
securityContext:
+ readOnlyRootFilesystem: true
# -- (Streaming Container) Resources for Streaming Pods, overwrites .Values.resources
resources: {}
# limits:
@@ -182,7 +183,6 @@ mastodon:
podSecurityContext: {}
# -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext
securityContext:
- allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
# -- (Web Container) Resources for Web Pods, overwrites .Values.resources
resources: {}
@@ -388,12 +388,9 @@ externalAuth:
# search: "., -"
# replace: _
-# -- https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75
-#
-# if you manually change the UID/GID environment variables, ensure these values
-# match:
+# -- base securityContext on Pod-Level. Can be overwritten but more specific contexts.
+# Used to match the Upstream UID/GID
podSecurityContext:
- allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 991
runAsGroup: 991
@@ -401,8 +398,12 @@ podSecurityContext:
seccompProfile:
type: "RuntimeDefault"
-# @ignored
-securityContext: {}
+# -- securityContext on Container-Level. Can be overwritten but more specific contexts.
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
serviceAccount:
# -- Specifies whether a service account should be created