Merge pull request #3464 from lahwaacz/security-context

Security context hardening

Author: manics

jupyterhub/values.yaml

@@ -89,11 +89,16 @@ hub:
     pullSecrets: []
   resources: {}
   podSecurityContext:
+    runAsNonRoot: true
     fsGroup: 1000
+    seccompProfile:
+      type: "RuntimeDefault"
   containerSecurityContext:
     runAsUser: 1000
     runAsGroup: 1000
     allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["ALL"]
   lifecycle: {}
   loadRoles: {}
   services: {}
@@ -197,9 +202,14 @@ proxy:
   chp:
     revisionHistoryLimit:
     containerSecurityContext:
+      runAsNonRoot: true
       runAsUser: 65534 # nobody user
       runAsGroup: 65534 # nobody group
       allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
+      seccompProfile:
+        type: "RuntimeDefault"
     image:
       name: quay.io/jupyterhub/configurable-http-proxy
       # tag is automatically bumped to new patch versions by the
@@ -250,9 +260,14 @@ proxy:
   traefik:
     revisionHistoryLimit:
     containerSecurityContext:
+      runAsNonRoot: true
       runAsUser: 65534 # nobody user
       runAsGroup: 65534 # nobody group
       allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
+      seccompProfile:
+        type: "RuntimeDefault"
     image:
       name: traefik
       # tag is automatically bumped to new patch versions by the
@@ -300,9 +315,14 @@ proxy:
     extraPodSpec: {}
   secretSync:
     containerSecurityContext:
+      runAsNonRoot: true
       runAsUser: 65534 # nobody user
       runAsGroup: 65534 # nobody group
       allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
+      seccompProfile:
+        type: "RuntimeDefault"
     image:
       name: quay.io/jupyterhub/k8s-secret-sync
       tag: "set-by-chartpress"
@@ -481,9 +501,14 @@ scheduling:
                 weight: 1
             type: MostAllocated
     containerSecurityContext:
+      runAsNonRoot: true
       runAsUser: 65534 # nobody user
       runAsGroup: 65534 # nobody group
       allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
+      seccompProfile:
+        type: "RuntimeDefault"
     image:
       # IMPORTANT: Bumping the minor version of this binary should go hand in
       #            hand with an inspection of the user-scheduelr's RBAC
@@ -560,9 +585,14 @@ scheduling:
     labels: {}
     annotations: {}
     containerSecurityContext:
+      runAsNonRoot: true
       runAsUser: 65534 # nobody user
       runAsGroup: 65534 # nobody group
       allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
+      seccompProfile:
+        type: "RuntimeDefault"
     resources: {}
   corePods:
     tolerations:
@@ -596,9 +626,14 @@ prePuller:
   annotations: {}
   resources: {}
   containerSecurityContext:
+    runAsNonRoot: true
     runAsUser: 65534 # nobody user
     runAsGroup: 65534 # nobody group
     allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["ALL"]
+    seccompProfile:
+      type: "RuntimeDefault"
   extraTolerations: []
   # hook relates to the hook-image-awaiter Job and hook-image-puller DaemonSet
   hook:
@@ -611,9 +646,14 @@ prePuller:
       pullPolicy:
       pullSecrets: []
     containerSecurityContext:
+      runAsNonRoot: true
       runAsUser: 65534 # nobody user
       runAsGroup: 65534 # nobody group
       allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
+      seccompProfile:
+        type: "RuntimeDefault"
     podSchedulingWaitDuration: 10
     nodeSelector: {}
     tolerations: []
@@ -628,9 +668,14 @@ prePuller:
   extraImages: {}
   pause:
     containerSecurityContext:
+      runAsNonRoot: true
       runAsUser: 65534 # nobody user
       runAsGroup: 65534 # nobody group
       allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
+      seccompProfile:
+        type: "RuntimeDefault"
     image:
       name: registry.k8s.io/pause
       # tag is automatically bumped to new patch versions by the