feat: updates helm job to run with hardened security contexts

nxtcoder17 · nxtcoder17 · commit b4284961603e · 2025-05-31T14:41:35.000+05:30
diff --git a/Dockerfile.ci b/Dockerfile.ci
@@ -24,8 +24,7 @@ nix \
   develop --command run build binary_out=/tmp/plugin-helm-controller
 EOF
 
-FROM gcr.io/distroless/static
+FROM gcr.io/distroless/static:nonroot
 WORKDIR /home/nonroot
-USER nonroot:nonroot
 COPY --from=builder --chown=nonroot:nonroot /tmp/plugin-helm-controller ./plugin-helm-controller
 ENTRYPOINT ["./plugin-helm-controller"]
diff --git a/IMAGES/helm-job-runner/Dockerfile-nix b/IMAGES/helm-job-runner/Dockerfile-nix
@@ -15,9 +15,8 @@ mkdir -p /tmp/nix-store-closure
 cp -R $(nix-store -qR /tmp/output/result) /tmp/nix-store-closure
 EOF
 
-FROM gcr.io/distroless/static
+FROM gcr.io/distroless/static:nonroot
 WORKDIR /home/nonroot
-USER nonroot:nonroot
 COPY --from=builder /tmp/nix-store-closure /nix/store
 COPY --from=builder --chown=nonroot:nonroot /tmp/output/ /app/
 ENV PATH=/app/result/bin
diff --git a/INSTALL/k8s/setup.yaml b/INSTALL/k8s/setup.yaml
@@ -85,6 +85,9 @@ spec:
                 - ALL
       securityContext:
         runAsNonRoot: true
+        runAsUser: 65532 # nonroot user from gcr.io/distroless/static:nonroot image
+        runAsGroup: 65532 # nonroot group from gcr.io/distroless/static:nonroot image
+        allowPrivilegeEscalation: false
       serviceAccountName: "plugin-helm-chart"
       terminationGracePeriodSeconds: 10
 
diff --git a/internal/controller/helm_pipeline/templates/helm-pipeline-install-job-spec.yml.tpl b/internal/controller/helm_pipeline/templates/helm-pipeline-install-job-spec.yml.tpl
@@ -6,6 +6,13 @@ template:
     serviceAccountName: {{.ServiceAccountName | toJson }}
     tolerations: {{ .PodTolerations | default list | toJson }}
     nodeSelector: {{ .NodeSelector | default dict | toJson }}
+
+    securityContext:
+      runAsNonRoot: true
+      runAsUser: 65532 # nonroot user from gcr.io/distroless/static:nonroot image
+      runAsGroup: 65532 # nonroot group from gcr.io/distroless/static:nonroot image
+      allowPrivilegeEscalation: false
+
     containers:
       - name: helm
         image: {{.Image}}
diff --git a/internal/controller/helm_pipeline/templates/helm-pipeline-uninstall-job-spec.yml.tpl b/internal/controller/helm_pipeline/templates/helm-pipeline-uninstall-job-spec.yml.tpl
@@ -6,6 +6,11 @@ template:
     serviceAccountName: {{.ServiceAccountName | toJson }}
     tolerations: {{ .PodTolerations | default list | toJson }}
     nodeSelector: {{ .NodeSelector | default dict | toJson }}
+    securityContext:
+      runAsNonRoot: true
+      runAsUser: 65532 # nonroot user from gcr.io/distroless/static:nonroot image
+      runAsGroup: 65532 # nonroot group from gcr.io/distroless/static:nonroot image
+      allowPrivilegeEscalation: false
     containers:
       - name: helm
         image: {{.Image}}
