feat(mastodon): Hardening mastodon web container

This patch enables read-only filesystems on the mastodon-web container and disables privilege escalation

feat(mastodon): Hardening mastodon web container
df0d5981 · Sheogorath · f9d76000 · df0d5981 · df0d5981 · df0d5981
Verified Commit df0d5981 authored 1 year ago by Sheogorath
--- a/charts/mastodon/Chart.yaml
+++ b/charts/mastodon/Chart.yaml
@@ -11,7 +11,7 @@ sources:
    - https://git.shivering-isles.com/shivering-isles/infrastructure-gitops/-/tree/main/charts/mastodon
 type: application
-version: 6.0.5
+version: 6.0.6
 # renovate: image=ghcr.io/mastodon/mastodon
 appVersion: "v4.1.3"

--- a/charts/mastodon/README.md
+++ b/charts/mastodon/README.md
 # mastodon
-![Version: 6.0.5](https://img.shields.io/badge/Version-6.0.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v4.1.3](https://img.shields.io/badge/AppVersion-v4.1.3-informational?style=flat-square)
+![Version: 6.0.6](https://img.shields.io/badge/Version-6.0.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v4.1.3](https://img.shields.io/badge/AppVersion-v4.1.3-informational?style=flat-square)
 Mastodon is a free, open-source social network server based on ActivityPub.
@@ -106,7 +106,7 @@ Mastodon is a free, open-source social network server based on ActivityPub.
 | mastodon.web.port | int | `3000` |  |
 | mastodon.web.replicas | int | `1` | Number of Web Pods running |
 | mastodon.web.resources | Web Container | `{}` | Resources for Web Pods, overwrites .Values.resources |
-| mastodon.web.securityContext | Web Container | `{}` | Security Context for Web Pods, overwrites .Values.securityContext |
+| mastodon.web.securityContext | Web Container | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true}` | Security Context for Web Pods, overwrites .Values.securityContext |
 | mastodon.web_domain | string | `nil` | Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described Example: mastodon.example.com |
 | podAnnotations | object | `{}` | Kubernetes manages pods for jobs and pods for deployments differently, so you might need to apply different annotations to the two different sets of pods. The annotations set with podAnnotations will be added to all deployment-managed pods. |
 | podSecurityContext | object | `{"fsGroup":991,"runAsGroup":991,"runAsUser":991}` | https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75  if you manually change the UID/GID environment variables, ensure these values match: |

--- a/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
@@ -106,6 +106,9 @@ should match basic snapshot:
                httpGet:
                  path: /health
                  port: http
+              securityContext:
+                allowPrivilegeEscalation: false
+                readOnlyRootFilesystem: true
              startupProbe:
                failureThreshold: 30
                httpGet:

--- a/charts/mastodon/values.yaml
+++ b/charts/mastodon/values.yaml
@@ -181,7 +181,9 @@ mastodon:
    # -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext
    podSecurityContext: {}
    # -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext
-    securityContext: {}
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
    # -- (Web Container) Resources for Web Pods, overwrites .Values.resources
    resources: {}
    # limits: