diff --git a/README.md b/README.md index 873a5098..e64c2a8d 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ This repository includes the following charts; they can be deployed separately: | [KubeEnforcer](kube-enforcer/) | Deploys Aqua KubeEnforcer | 2022.4.42 | | [Gateway](gateway) | Deploys the Aqua Standalone Gateway | 2022.4.12 | | [Tenant-Manager](tenant-manager/) | Deploys the Aqua Tenant Manager | 2022.4.0 | -| [Cyber Center](cyber-center/) | Deploys Aqua CyberCenter offline for air-gap environment | 2022.4.4 | +| [Cyber Center](cyber-center/) | Deploys Aqua CyberCenter offline for air-gap environment | 2022.4.5 | | [Cloud Connector](cloud-connector/) | Deploys the Aqua Cloud Connector | 2022.4.5 | | [QuickStart](aqua-quickstart/) | Not for production use (see [below](#quick-start-deployment-not-for-production-purposes)). Deploys the Console, Database, Gateway and KubeEnforcer components | 2022.4.1 | | [Codesec-Agent](codesec-agent/) | Argon Broker Deployment | 1.2.7 | @@ -79,7 +79,7 @@ Example output: NAME CHART VERSION APP VERSION DESCRIPTION aqua-helm/codesec-agent 1.2.7 2022.4 A Helm chart for the Argon Broker Deployment aqua-helm/cloud-connector 2022.4.4 2022.4 A Helm chart for Aqua Cloud-Connector -aqua-helm/cyber-center 2022.4.4 2022.4 A Helm chart for Aqua CyberCenter +aqua-helm/cyber-center 2022.4.5 2022.4 A Helm chart for Aqua CyberCenter aqua-helm/enforcer 2022.4.20 2022.4 A Helm chart for the Aqua Enforcer aqua-helm/kube-enforcer 2022.4.42 2022.4 A Helm chart for the Aqua KubeEnforcer Starboard aqua-helm/gateway 2022.4.12 2022.4 A Helm chart for the Aqua Gateway diff --git a/cyber-center/CHANGELOG.md b/cyber-center/CHANGELOG.md index 0ae32ac7..514d8565 100644 --- a/cyber-center/CHANGELOG.md +++ b/cyber-center/CHANGELOG.md @@ -2,6 +2,9 @@ All notable changes to this project will be documented in this file. +## 2022.4.5 ( Apr 3rd, 2024 ) +* remove ocp scc and root user for cc +* Add non-root user in security context ## 2022.4.4 ( Mar 29th, 2024 ) * Add Openshift scc ## 2022.4.3 ( Jan 8th, 2024 ) diff --git a/cyber-center/Chart.yaml b/cyber-center/Chart.yaml index 2c648c66..28e83550 100644 --- a/cyber-center/Chart.yaml +++ b/cyber-center/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 name: cyber-center description: A Helm chart for Aqua CyberCenter appVersion: "2022.4" -version: "2022.4.4" +version: "2022.4.5" icon: https://avatars3.githubusercontent.com/u/12783832?s=200&v=4 home: https://www.aquasec.com/ maintainers: diff --git a/cyber-center/templates/cybercenter-deployment.yaml b/cyber-center/templates/cybercenter-deployment.yaml index 0b3e03f0..b595d257 100644 --- a/cyber-center/templates/cybercenter-deployment.yaml +++ b/cyber-center/templates/cybercenter-deployment.yaml @@ -49,9 +49,6 @@ spec: {{- end }} image: "{{ .Values.imageCredentials.repositoryUriPrefix }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: "{{ .Values.image.pullPolicy }}" - securityContext: - privileged: false - runAsUser: 0 args: {{- range $port := .Values.service.ports }} - --address=:{{ $port.targetPort }} diff --git a/cyber-center/templates/cybercenter-openshift-scc.yaml b/cyber-center/templates/cybercenter-openshift-scc.yaml deleted file mode 100644 index cd608e13..00000000 --- a/cyber-center/templates/cybercenter-openshift-scc.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- if eq .Values.platform "openshift" }} - ---- -apiVersion: security.openshift.io/v1 -defaultAddCapabilities: null -fsGroup: - type: RunAsAny -groups: [] -kind: SecurityContextConstraints -metadata: - annotations: - "helm.sh/hook": pre-install - kubernetes.io/description: aqua cybcercenter scc provides all features of the - restricted SCC but allows users to run with any root UID and access hostPath. - This is must to run offline-cc in root user in container. - release.openshift.io/create-only: "true" - name: {{ .Release.Name }}-cc-scc -priority: null -readOnlyRootFilesystem: false -requiredDropCapabilities: - - MKNOD -runAsUser: - type: RunAsAny -seLinuxContext: - type: MustRunAs -supplementalGroups: - type: RunAsAny -users: - - system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Namespace }}-sa -volumes: - - configMap - - downwardAPI - - emptyDir - - persistentVolumeClaim - - projected - - secret - - hostPath - -{{- end }} diff --git a/cyber-center/values.yaml b/cyber-center/values.yaml index b3c94024..63d3a382 100644 --- a/cyber-center/values.yaml +++ b/cyber-center/values.yaml @@ -10,9 +10,6 @@ imageCredentials: username: "" password: "" -# For Openshift platforms use platform: openshift -platform: "" - serviceaccount: # make it to true to create service-account create: false @@ -47,8 +44,12 @@ resources: {} # cpu: 2000m # memory: 2Gi +securityContext: + runAsUser: 11431 + runAsGroup: 11433 + fsGroup: 11433 + tolerations: [] -securityContext: {} container_securityContext: {} deploymentAnnotations: {} # my-annotation-key: my value; more value