fix(kube-proxy): Fixed security context (#1019)

Signed-off-by: Steve Hipwell <steve.hipwell@gmail.com>
stevehipwell · Aug 1, 2024 · f246be5 · f246be5
1 parent 2341fe2
commit f246be5
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 10 deletions.
diff --git a/charts/kube-proxy/CHANGELOG.md b/charts/kube-proxy/CHANGELOG.md
@@ -14,6 +14,12 @@
 
 ## [UNRELEASED]
 
+## [v0.0.5] - 2024-08-01
+
+### Fixed
+
+- Fixed security context.
+
 ## [v0.0.4] - 2024-08-01
 
 ### Fixed
@@ -42,6 +48,7 @@
 RELEASE LINKS
 -->
 [UNRELEASED]: https://github.com/stevehipwell/helm-charts/tree/main/charts/kube-proxy
+[v0.0.5]: https://github.com/stevehipwell/helm-charts/releases/tag/kube-proxy-0.0.5
 [v0.0.4]: https://github.com/stevehipwell/helm-charts/releases/tag/kube-proxy-0.0.4
 [v0.0.3]: https://github.com/stevehipwell/helm-charts/releases/tag/kube-proxy-0.0.3
 [v0.0.2]: https://github.com/stevehipwell/helm-charts/releases/tag/kube-proxy-0.0.2

diff --git a/charts/kube-proxy/Chart.yaml b/charts/kube-proxy/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: kube-proxy
 description: Helm chart for managing kube-proxy.
 type: application
-version: 0.0.4
+version: 0.0.5
 appVersion: 1.30.3
 keywords:
   - kubernetes
@@ -20,4 +20,4 @@ maintainers:
 annotations:
   artifacthub.io/changes: |
     - kind: fixed
-      description: "Removed unknown `logtostderr` arg."
+      description: "Fixed security context."
diff --git a/charts/kube-proxy/README.md b/charts/kube-proxy/README.md
@@ -1,6 +1,6 @@
 # kube-proxy
 
-![Version: 0.0.4](https://img.shields.io/badge/Version-0.0.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.30.3](https://img.shields.io/badge/AppVersion-1.30.3-informational?style=flat-square)
+![Version: 0.0.5](https://img.shields.io/badge/Version-0.0.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.30.3](https://img.shields.io/badge/AppVersion-1.30.3-informational?style=flat-square)
 
 Helm chart for managing kube-proxy.
 
@@ -24,15 +24,15 @@ Helm chart for managing kube-proxy.
 To install the chart using the recommended OCI method you can use the following command.
 
 ```shell
-helm upgrade --install kube-proxy oci://ghcr.io/stevehipwell/helm-charts/kube-proxy --version 0.0.4
+helm upgrade --install kube-proxy oci://ghcr.io/stevehipwell/helm-charts/kube-proxy --version 0.0.5
 ```
 
 #### Verification
 
 As the OCI chart release is signed by [Cosign](https://github.com/sigstore/cosign) you can verify the chart before installing it by running the following command.
 
 ```shell
-cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/action-stars/helm-workflows/\.github/workflows/release\.yaml@.+' --certificate-github-workflow-repository stevehipwell/helm-charts --certificate-github-workflow-name Release ghcr.io/stevehipwell/helm-charts/kube-proxy:0.0.4
+cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/action-stars/helm-workflows/\.github/workflows/release\.yaml@.+' --certificate-github-workflow-repository stevehipwell/helm-charts --certificate-github-workflow-name Release ghcr.io/stevehipwell/helm-charts/kube-proxy:0.0.5
 ```
 
 ### Non-OCI Repository
@@ -41,7 +41,7 @@ Alternatively you can use the legacy non-OCI method via the following commands.
 
 ```shell
 helm repo add stevehipwell https://stevehipwell.github.io/helm-charts/
-helm upgrade --install kube-proxy stevehipwell/kube-proxy --version 0.0.4
+helm upgrade --install kube-proxy stevehipwell/kube-proxy --version 0.0.5
 ```
 
 ## Values
@@ -59,7 +59,7 @@ helm upgrade --install kube-proxy stevehipwell/kube-proxy --version 0.0.4
 | image.tag | string | `nil` | Image tag for the default container, this will default to `.Chart.AppVersion` if not set. |
 | imagePullSecrets | list | `[]` | Image pull secrets. |
 | init.enabled | bool | `true` | If `true`, create an init container so the default container can be unprivileged. |
-| init.securityContext | object | `{"allowPrivilegeEscalation":true,"privileged":true,"readOnlyRootFilesystem":true,"runAsNonRoot":false}` | Security context for the init container. |
+| init.securityContext | object | `{"allowPrivilegeEscalation":true,"privileged":true,"readOnlyRootFilesystem":false,"runAsNonRoot":false}` | Security context for the init container. |
 | livenessProbe | object | `{"httpGet":{"path":"/livez","port":"http-health"}}` | Liveness probe configuration for the default container. |
 | logLevel | int | `2` | Log level for kube-proxy. |
 | minReadySeconds | int | `nil` | Min ready seconds for the `DaemonSet`. |
@@ -72,7 +72,7 @@ helm upgrade --install kube-proxy stevehipwell/kube-proxy --version 0.0.4
 | rbac.create | bool | `true` | If `true`, create a `ClusterRole` & `ClusterRoleBinding` with access to the Kubernetes API. |
 | readinessProbe | object | `{"httpGet":{"path":"/healthz","port":"http-health"}}` | Readiness probe configuration for the default container. |
 | resources | object | `{}` | Resources for the default container. |
-| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"add":["NET_ADMIN","SYS_RESOURCE"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":false}` | Security context for the default container; if init is disabled then this needs to be modified to make the default container privileged. |
+| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"add":["NET_ADMIN","SYS_RESOURCE"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false}` | Security context for the default container; if init is disabled then this needs to be modified to make the default container privileged. |
 | selectorLabelsOverride | object | `{}` | If configured replace the default selector labels with these. |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
 | serviceAccount.create | bool | `true` | If `true`, create a new `ServiceAccount`. |

diff --git a/charts/kube-proxy/values.yaml b/charts/kube-proxy/values.yaml
@@ -72,14 +72,14 @@ init:
   securityContext:
     privileged: true
     allowPrivilegeEscalation: true
-    readOnlyRootFilesystem: true
+    readOnlyRootFilesystem: false
     runAsNonRoot: false
 
 # -- Security context for the default container; if init is disabled then this needs to be modified to make the default container privileged.
 securityContext:
   privileged: false
   allowPrivilegeEscalation: false
-  readOnlyRootFilesystem: true
+  readOnlyRootFilesystem: false
   runAsNonRoot: false
   capabilities:
     add: ["NET_ADMIN", "SYS_RESOURCE"]