Check helm chart complies with pss using kyverno gh action (#236)

jetstack · Aug 19, 2024 · 612786b · 612786b
1 parent e78cb53
commit 612786b
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 10 deletions.
diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml
@@ -50,3 +50,14 @@ jobs:
             exit 0
           fi
           helm unittest deploy/charts/version-checker
+
+  security_policies:
+    name: Verify that the Helm chart complies with the pod security standards
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Install Kyverno CLI
+        uses: kyverno/[email protected]
+      - uses: azure/setup-helm@v3
+      - run: kyverno apply -p https://github.com/kyverno/policies/pod-security/restricted --git-branch main --resource <(helm template deploy/charts/version-checker/)
diff --git a/deploy/charts/version-checker/tests/deployment_test.yaml b/deploy/charts/version-checker/tests/deployment_test.yaml
@@ -432,7 +432,14 @@ tests:
         runAsUser: 65534
       securityContext:
         allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
         readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
     asserts:
       - equal:
           path: spec.template.spec.securityContext
@@ -442,4 +449,11 @@ tests:
           path: spec.template.spec.containers[0].securityContext
           value:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 65534
+            seccompProfile:
+              type: RuntimeDefault
diff --git a/deploy/charts/version-checker/values.yaml b/deploy/charts/version-checker/values.yaml
@@ -127,16 +127,15 @@ resources:
 
 # -- Set container-level security context
 securityContext:
-  {}
-  # allowPrivilegeEscalation: false
-  # capabilities:
-  #   drop:
-  #     - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 65534
-  # seccompProfile:
-  #   type: RuntimeDefault
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 65534
+  seccompProfile:
+    type: RuntimeDefault
 
 # -- Set pod-level security context
 podSecurityContext: {}