[Metro-Vision]Trivy config fixes.

metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/broker.yaml

@@ -15,6 +15,13 @@ spec:
       labels:
         app: broker
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1883
+        runAsGroup: 1883
+        fsGroup: 1883
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: mqtt
         image: {{ $.Values.mqtt_broker.image }}:{{ $.Values.mqtt_broker.imageTag }}
@@ -28,13 +35,30 @@ spec:
           value: {{ $.Values.env.https_proxy }}
         - name: no_proxy
           value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}"
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          runAsUser: 1883
+          runAsGroup: 1883
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
         volumeMounts:
         - name: mosquitto-config-volume
           mountPath: /mosquitto/config
+        - name: mosquitto-data
+          mountPath: /mosquitto/data
+        - name: mosquitto-log
+          mountPath: /mosquitto/log
       volumes:
       - name: mosquitto-config-volume
         configMap:
           name: broker
+      - name: mosquitto-data
+        emptyDir: {}
+      - name: mosquitto-log
+        emptyDir: {}
 ---
 apiVersion: v1
 kind: Service

metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/coturn.yaml

@@ -37,6 +37,13 @@ spec:
       labels:
         app: coturn
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
       {{- if and .Values.DOCKER_USERNAME .Values.DOCKER_PASSWORD }}
       imagePullSecrets:
       - name: registryauth
@@ -45,6 +52,15 @@ spec:
       containers:
       - name: coturn
         image: {{ $.Values.coturn.image }}:{{ $.Values.coturn.imageTag }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 1000
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
         args: ["-v"]  # Enable verbose logging
         ports:
         - containerPort: {{ $.Values.config.coturn.int.coturn_tcp_port }}

metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/mediamtx.yaml

@@ -46,12 +46,28 @@ spec:
       labels:
         app: mediamtx
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
       {{- if and .Values.DOCKER_USERNAME .Values.DOCKER_PASSWORD }}
       imagePullSecrets:
       - name: registryauth
       {{- end }}
       containers:
       - name: mediamtx
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 1000
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
         env:
         - name: http_proxy
           value: {{ $.Values.env.http_proxy }}
@@ -87,4 +103,14 @@ spec:
           value: "10s"
         image: {{ $.Values.mediamtx.image }}:{{ $.Values.mediamtx.imageTag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
+        volumeMounts:
+        - name: mediamtx-tmp
+          mountPath: /tmp
+        - name: mediamtx-recordings
+          mountPath: /recordings
+      volumes:
+      - name: mediamtx-tmp
+        emptyDir: {}
+      - name: mediamtx-recordings
+        emptyDir: {}
       restartPolicy: Always

metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/broker.yaml

@@ -15,9 +15,23 @@ spec:
       labels:
         app: broker
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1883
+        runAsGroup: 1883
+        fsGroup: 1883
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: mqtt
         image: {{ $.Values.mqtt_broker.image }}:{{ $.Values.mqtt_broker.imageTag }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
         ports:
         - containerPort: {{ $.Values.config.mqtt_broker.int.mqtt_port }}
           name: mqtt
@@ -31,10 +45,18 @@ spec:
         volumeMounts:
         - name: mosquitto-config-volume
           mountPath: /mosquitto/config
+        - name: mosquitto-data
+          mountPath: /mosquitto/data
+        - name: mosquitto-log
+          mountPath: /mosquitto/log
       volumes:
       - name: mosquitto-config-volume
         configMap:
           name: broker
+      - name: mosquitto-data
+        emptyDir: {}
+      - name: mosquitto-log
+        emptyDir: {}
 ---
 apiVersion: v1
 kind: Service

metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/coturn.yaml

@@ -37,6 +37,13 @@ spec:
       labels:
         app: coturn
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
       {{- if and .Values.DOCKER_USERNAME .Values.DOCKER_PASSWORD }}
       imagePullSecrets:
       - name: registryauth
@@ -45,6 +52,13 @@ spec:
       containers:
       - name: coturn
         image: {{ $.Values.coturn.image }}:{{ $.Values.coturn.imageTag }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
         args: ["-v"]  # Enable verbose logging
         ports:
         - containerPort: {{ $.Values.config.coturn.int.coturn_tcp_port }}
@@ -59,4 +73,14 @@ spec:
           value: {{ $.Values.env.https_proxy }}
         - name: no_proxy
           value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}"
+        volumeMounts:
+        - name: tmp
+          mountPath: /tmp
+        - name: var-tmp
+          mountPath: /var/tmp
+      volumes:
+      - name: tmp
+        emptyDir: {}
+      - name: var-tmp
+        emptyDir: {}
       restartPolicy: Always

metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/mediamtx.yaml

@@ -46,12 +46,26 @@ spec:
       labels:
         app: mediamtx
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
       {{- if and .Values.DOCKER_USERNAME .Values.DOCKER_PASSWORD }}
       imagePullSecrets:
       - name: registryauth
       {{- end }}
       containers:
       - name: mediamtx
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
         env:
         - name: http_proxy
           value: {{ $.Values.env.http_proxy }}
@@ -87,4 +101,14 @@ spec:
           value: "10s"
         image: {{ $.Values.mediamtx.image }}:{{ $.Values.mediamtx.imageTag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
+        volumeMounts:
+        - name: mediamtx-tmp
+          mountPath: /tmp
+        - name: mediamtx-recordings
+          mountPath: /recordings
+      volumes:
+      - name: mediamtx-tmp
+        emptyDir: {}
+      - name: mediamtx-recordings
+        emptyDir: {}
       restartPolicy: Always

metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/nginx-reverse-proxy.yaml

@@ -61,21 +61,48 @@ spec:
       labels:
         app: nginx-reverse-proxy
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 101
+        runAsGroup: 101
+        fsGroup: 101
+        seccompProfile:
+          type: RuntimeDefault
       initContainers:
       - name: generate-certs
         image: alpine/openssl:3.5.4
         command: 
         - /bin/sh
         - /scripts/generate_certs.sh
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          runAsUser: 101
+          runAsGroup: 101
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
         volumeMounts:
         - name: nginx-ssl
           mountPath: /etc/nginx/ssl
         - name: nginx-scripts
           mountPath: /scripts
+        - name: tmp
+          mountPath: /tmp
       containers:
       - name: nginx-reverse-proxy
         image: {{ .Values.nginx.image }}:{{ .Values.nginx.imageTag }}
         imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          runAsUser: 101
+          runAsGroup: 101
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
         ports:
         - containerPort: {{ .Values.config.nginx.int.http_port }}
         - containerPort: {{ .Values.config.nginx.int.https_port }}
@@ -94,6 +121,12 @@ spec:
           subPath: nginx.conf
         - name: nginx-ssl
           mountPath: /etc/nginx/ssl
+        - name: nginx-cache
+          mountPath: /var/cache/nginx
+        - name: nginx-run
+          mountPath: /var/run
+        - name: tmp
+          mountPath: /tmp
         resources:
           requests:
             memory: "64Mi"
@@ -116,4 +149,10 @@ spec:
             path: generate_certs.sh
             mode: 0755
       - name: nginx-ssl
+        emptyDir: {}
+      - name: nginx-cache
+        emptyDir: {}
+      - name: nginx-run
+        emptyDir: {}
+      - name: tmp
         emptyDir: {}

metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/node-red.yaml

@@ -15,9 +15,22 @@ spec:
       labels:
         app: node-red
     spec:
+      securityContext:
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
       initContainers:
       - name: intel-plugin-downloader
         image: curlimages/curl:latest
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 1000
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
         command:
         - /bin/sh
         - -c
@@ -48,6 +61,8 @@ spec:
         - name: node-red-flows-config
           mountPath: /tmp/flows.json
           subPath: flows.json
+        - name: tmp
+          mountPath: /tmp
       containers:
       - name: node-red
         image: {{ $.Values.node_red.image }}:{{ $.Values.node_red.imageTag }}
@@ -64,16 +79,31 @@ spec:
         - name: no_proxy
           value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}"
         securityContext:
-          runAsUser: 0  # root user
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 1000
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
         volumeMounts:
         - name: node-red-data
           mountPath: /data
+        - name: node-red-src
+          mountPath: /usr/src/node-red
+        - name: tmp
+          mountPath: /tmp
       volumes:
       - name: node-red-data
         emptyDir: {}
       - name: node-red-flows-config
         configMap:
-          name: node-red-flows-config 
+          name: node-red-flows-config
+      - name: node-red-src
+        emptyDir: {}
+      - name: tmp
+        emptyDir: {} 
 ---
 apiVersion: v1
 kind: Service