diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/broker.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/broker.yaml index 26db11b4b..0048dddaa 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/broker.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/broker.yaml @@ -15,6 +15,13 @@ spec: labels: app: broker spec: + securityContext: + runAsNonRoot: true + runAsUser: 1883 + runAsGroup: 1883 + fsGroup: 1883 + seccompProfile: + type: RuntimeDefault containers: - name: mqtt image: {{ $.Values.mqtt_broker.image }}:{{ $.Values.mqtt_broker.imageTag }} @@ -28,13 +35,30 @@ spec: value: {{ $.Values.env.https_proxy }} - name: no_proxy value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}" + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1883 + runAsGroup: 1883 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true volumeMounts: - name: mosquitto-config-volume mountPath: /mosquitto/config + - name: mosquitto-data + mountPath: /mosquitto/data + - name: mosquitto-log + mountPath: /mosquitto/log volumes: - name: mosquitto-config-volume configMap: name: broker + - name: mosquitto-data + emptyDir: {} + - name: mosquitto-log + emptyDir: {} --- apiVersion: v1 kind: Service diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/coturn.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/coturn.yaml index 33e6e6053..e7f5e3b84 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/coturn.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/coturn.yaml @@ -37,6 +37,13 @@ spec: labels: app: coturn spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault {{- if and .Values.DOCKER_USERNAME .Values.DOCKER_PASSWORD }} imagePullSecrets: - name: registryauth @@ -45,6 +52,15 @@ spec: containers: - name: coturn image: {{ $.Values.coturn.image }}:{{ $.Values.coturn.imageTag }} + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true args: ["-v"] # Enable verbose logging ports: - containerPort: {{ $.Values.config.coturn.int.coturn_tcp_port }} diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/mediamtx.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/mediamtx.yaml index ffdddadf7..0849b2369 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/mediamtx.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/mediamtx.yaml @@ -46,12 +46,28 @@ spec: labels: app: mediamtx spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault {{- if and .Values.DOCKER_USERNAME .Values.DOCKER_PASSWORD }} imagePullSecrets: - name: registryauth {{- end }} containers: - name: mediamtx + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true env: - name: http_proxy value: {{ $.Values.env.http_proxy }} @@ -87,4 +103,14 @@ spec: value: "10s" image: {{ $.Values.mediamtx.image }}:{{ $.Values.mediamtx.imageTag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + volumeMounts: + - name: mediamtx-tmp + mountPath: /tmp + - name: mediamtx-recordings + mountPath: /recordings + volumes: + - name: mediamtx-tmp + emptyDir: {} + - name: mediamtx-recordings + emptyDir: {} restartPolicy: Always diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/broker.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/broker.yaml index 26db11b4b..598262fc4 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/broker.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/broker.yaml @@ -15,9 +15,23 @@ spec: labels: app: broker spec: + securityContext: + runAsNonRoot: true + runAsUser: 1883 + runAsGroup: 1883 + fsGroup: 1883 + seccompProfile: + type: RuntimeDefault containers: - name: mqtt image: {{ $.Values.mqtt_broker.image }}:{{ $.Values.mqtt_broker.imageTag }} + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true ports: - containerPort: {{ $.Values.config.mqtt_broker.int.mqtt_port }} name: mqtt @@ -31,10 +45,18 @@ spec: volumeMounts: - name: mosquitto-config-volume mountPath: /mosquitto/config + - name: mosquitto-data + mountPath: /mosquitto/data + - name: mosquitto-log + mountPath: /mosquitto/log volumes: - name: mosquitto-config-volume configMap: name: broker + - name: mosquitto-data + emptyDir: {} + - name: mosquitto-log + emptyDir: {} --- apiVersion: v1 kind: Service diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/coturn.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/coturn.yaml index 33e6e6053..aa469544c 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/coturn.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/coturn.yaml @@ -37,6 +37,13 @@ spec: labels: app: coturn spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault {{- if and .Values.DOCKER_USERNAME .Values.DOCKER_PASSWORD }} imagePullSecrets: - name: registryauth @@ -45,6 +52,13 @@ spec: containers: - name: coturn image: {{ $.Values.coturn.image }}:{{ $.Values.coturn.imageTag }} + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true args: ["-v"] # Enable verbose logging ports: - containerPort: {{ $.Values.config.coturn.int.coturn_tcp_port }} @@ -59,4 +73,14 @@ spec: value: {{ $.Values.env.https_proxy }} - name: no_proxy value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}" + volumeMounts: + - name: tmp + mountPath: /tmp + - name: var-tmp + mountPath: /var/tmp + volumes: + - name: tmp + emptyDir: {} + - name: var-tmp + emptyDir: {} restartPolicy: Always diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/mediamtx.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/mediamtx.yaml index ffdddadf7..bdc3cbcbb 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/mediamtx.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/mediamtx.yaml @@ -46,12 +46,26 @@ spec: labels: app: mediamtx spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault {{- if and .Values.DOCKER_USERNAME .Values.DOCKER_PASSWORD }} imagePullSecrets: - name: registryauth {{- end }} containers: - name: mediamtx + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true env: - name: http_proxy value: {{ $.Values.env.http_proxy }} @@ -87,4 +101,14 @@ spec: value: "10s" image: {{ $.Values.mediamtx.image }}:{{ $.Values.mediamtx.imageTag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + volumeMounts: + - name: mediamtx-tmp + mountPath: /tmp + - name: mediamtx-recordings + mountPath: /recordings + volumes: + - name: mediamtx-tmp + emptyDir: {} + - name: mediamtx-recordings + emptyDir: {} restartPolicy: Always diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/nginx-reverse-proxy.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/nginx-reverse-proxy.yaml index 486bf6fd3..e1aaca034 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/nginx-reverse-proxy.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/nginx-reverse-proxy.yaml @@ -61,21 +61,48 @@ spec: labels: app: nginx-reverse-proxy spec: + securityContext: + runAsNonRoot: true + runAsUser: 101 + runAsGroup: 101 + fsGroup: 101 + seccompProfile: + type: RuntimeDefault initContainers: - name: generate-certs image: alpine/openssl:3.5.4 command: - /bin/sh - /scripts/generate_certs.sh + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 101 + runAsGroup: 101 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true volumeMounts: - name: nginx-ssl mountPath: /etc/nginx/ssl - name: nginx-scripts mountPath: /scripts + - name: tmp + mountPath: /tmp containers: - name: nginx-reverse-proxy image: {{ .Values.nginx.image }}:{{ .Values.nginx.imageTag }} imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 101 + runAsGroup: 101 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true ports: - containerPort: {{ .Values.config.nginx.int.http_port }} - containerPort: {{ .Values.config.nginx.int.https_port }} @@ -94,6 +121,12 @@ spec: subPath: nginx.conf - name: nginx-ssl mountPath: /etc/nginx/ssl + - name: nginx-cache + mountPath: /var/cache/nginx + - name: nginx-run + mountPath: /var/run + - name: tmp + mountPath: /tmp resources: requests: memory: "64Mi" @@ -116,4 +149,10 @@ spec: path: generate_certs.sh mode: 0755 - name: nginx-ssl + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-run + emptyDir: {} + - name: tmp emptyDir: {} \ No newline at end of file diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/node-red.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/node-red.yaml index 24e7aae47..d034fa095 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/node-red.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/node-red.yaml @@ -15,9 +15,22 @@ spec: labels: app: node-red spec: + securityContext: + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault initContainers: - name: intel-plugin-downloader image: curlimages/curl:latest + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true command: - /bin/sh - -c @@ -48,6 +61,8 @@ spec: - name: node-red-flows-config mountPath: /tmp/flows.json subPath: flows.json + - name: tmp + mountPath: /tmp containers: - name: node-red image: {{ $.Values.node_red.image }}:{{ $.Values.node_red.imageTag }} @@ -64,16 +79,31 @@ spec: - name: no_proxy value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}" securityContext: - runAsUser: 0 # root user + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true volumeMounts: - name: node-red-data mountPath: /data + - name: node-red-src + mountPath: /usr/src/node-red + - name: tmp + mountPath: /tmp volumes: - name: node-red-data emptyDir: {} - name: node-red-flows-config configMap: - name: node-red-flows-config + name: node-red-flows-config + - name: node-red-src + emptyDir: {} + - name: tmp + emptyDir: {} --- apiVersion: v1 kind: Service