From 612786b69b7be2cd860a54ca0dd717f6b147eb06 Mon Sep 17 00:00:00 2001
From: Paul Jones <paul.jones@jetstack.io>
Date: Mon, 19 Aug 2024 09:19:23 +0100
Subject: [PATCH] Check helm chart complies with pss using kyverno gh action
 (#236)

---
 .github/workflows/helm-test.yaml              | 11 +++++++++++
 .../tests/deployment_test.yaml                | 14 ++++++++++++++
 deploy/charts/version-checker/values.yaml     | 19 +++++++++----------
 3 files changed, 34 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml
index 66b298f0..3690b321 100644
--- a/.github/workflows/helm-test.yaml
+++ b/.github/workflows/helm-test.yaml
@@ -50,3 +50,14 @@ jobs:
             exit 0
           fi
           helm unittest deploy/charts/version-checker
+
+  security_policies:
+    name: Verify that the Helm chart complies with the pod security standards
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Install Kyverno CLI
+        uses: kyverno/action-install-cli@v0.2.0
+      - uses: azure/setup-helm@v3
+      - run: kyverno apply -p https://github.com/kyverno/policies/pod-security/restricted --git-branch main --resource <(helm template deploy/charts/version-checker/)
diff --git a/deploy/charts/version-checker/tests/deployment_test.yaml b/deploy/charts/version-checker/tests/deployment_test.yaml
index 029416a0..0a538f71 100644
--- a/deploy/charts/version-checker/tests/deployment_test.yaml
+++ b/deploy/charts/version-checker/tests/deployment_test.yaml
@@ -432,7 +432,14 @@ tests:
         runAsUser: 65534
       securityContext:
         allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
         readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
     asserts:
       - equal:
           path: spec.template.spec.securityContext
@@ -442,4 +449,11 @@ tests:
           path: spec.template.spec.containers[0].securityContext
           value:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 65534
+            seccompProfile:
+              type: RuntimeDefault
diff --git a/deploy/charts/version-checker/values.yaml b/deploy/charts/version-checker/values.yaml
index 427043bc..5d6f39a6 100644
--- a/deploy/charts/version-checker/values.yaml
+++ b/deploy/charts/version-checker/values.yaml
@@ -127,16 +127,15 @@ resources:
 
 # -- Set container-level security context
 securityContext:
-  {}
-  # allowPrivilegeEscalation: false
-  # capabilities:
-  #   drop:
-  #     - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 65534
-  # seccompProfile:
-  #   type: RuntimeDefault
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 65534
+  seccompProfile:
+    type: RuntimeDefault
 
 # -- Set pod-level security context
 podSecurityContext: {}