From df0d5981f09d7f9580b4cf965de0f0dc0dea0f6e Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Fri, 7 Jul 2023 13:00:43 +0200
Subject: [PATCH] feat(mastodon): Hardening mastodon web container
This patch enables read-only filesystems on the mastodon-web container
and disables privilege escalation
---
charts/mastodon/Chart.yaml | 2 +-
charts/mastodon/README.md | 4 ++--
charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap | 3 +++
charts/mastodon/values.yaml | 4 +++-
4 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/charts/mastodon/Chart.yaml b/charts/mastodon/Chart.yaml
index 3939c34b2..0be19e65e 100644
--- a/charts/mastodon/Chart.yaml
+++ b/charts/mastodon/Chart.yaml
@@ -11,7 +11,7 @@ sources:
- https://git.shivering-isles.com/shivering-isles/infrastructure-gitops/-/tree/main/charts/mastodon
type: application
-version: 6.0.5
+version: 6.0.6
# renovate: image=ghcr.io/mastodon/mastodon
appVersion: "v4.1.3"
diff --git a/charts/mastodon/README.md b/charts/mastodon/README.md
index 777de95dd..5ce51471a 100644
--- a/charts/mastodon/README.md
+++ b/charts/mastodon/README.md
@@ -1,6 +1,6 @@
# mastodon
-  
+  
Mastodon is a free, open-source social network server based on ActivityPub.
@@ -106,7 +106,7 @@ Mastodon is a free, open-source social network server based on ActivityPub.
| mastodon.web.port | int | `3000` | |
| mastodon.web.replicas | int | `1` | Number of Web Pods running |
| mastodon.web.resources | Web Container | `{}` | Resources for Web Pods, overwrites .Values.resources |
-| mastodon.web.securityContext | Web Container | `{}` | Security Context for Web Pods, overwrites .Values.securityContext |
+| mastodon.web.securityContext | Web Container | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true}` | Security Context for Web Pods, overwrites .Values.securityContext |
| mastodon.web_domain | string | `nil` | Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described Example: mastodon.example.com |
| podAnnotations | object | `{}` | Kubernetes manages pods for jobs and pods for deployments differently, so you might need to apply different annotations to the two different sets of pods. The annotations set with podAnnotations will be added to all deployment-managed pods. |
| podSecurityContext | object | `{"fsGroup":991,"runAsGroup":991,"runAsUser":991}` | https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75 if you manually change the UID/GID environment variables, ensure these values match: |
diff --git a/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap b/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
index 43b8df2db..5f28d6107 100644
--- a/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
@@ -106,6 +106,9 @@ should match basic snapshot:
httpGet:
path: /health
port: http
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
startupProbe:
failureThreshold: 30
httpGet:
diff --git a/charts/mastodon/values.yaml b/charts/mastodon/values.yaml
index 25ed14865..5542a5d80 100644
--- a/charts/mastodon/values.yaml
+++ b/charts/mastodon/values.yaml
@@ -181,7 +181,9 @@ mastodon:
# -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext
podSecurityContext: {}
# -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext
- securityContext: {}
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
# -- (Web Container) Resources for Web Pods, overwrites .Values.resources
resources: {}
# limits:
--
GitLab