From b4d3498069906ca2b37e2fbc12e961b80fa37dc1 Mon Sep 17 00:00:00 2001 From: Adrien Chauve Date: Fri, 10 Nov 2023 10:33:22 +0100 Subject: [PATCH] fix(vaulwarden): run as non root --- .../charts/vaultwarden/templates/statefulset.yaml | 6 ++++++ charts/vaultwarden/charts/vaultwarden/values.yaml | 9 +++++++++ 2 files changed, 15 insertions(+) diff --git a/charts/vaultwarden/charts/vaultwarden/templates/statefulset.yaml b/charts/vaultwarden/charts/vaultwarden/templates/statefulset.yaml index f6e1a39..8e017be 100644 --- a/charts/vaultwarden/charts/vaultwarden/templates/statefulset.yaml +++ b/charts/vaultwarden/charts/vaultwarden/templates/statefulset.yaml @@ -47,6 +47,10 @@ spec: tolerations: {{- toYaml .Values.tolerations | nindent 8 }} {{- end }} + securityContext: + runAsUser: {{ .Values.runAsUser }} + runAsGroup: {{ .Values.runAsUser }} + fsGroup: {{ .Values.runAsUser }} {{- if .Values.initContainers }} initContainers: {{- toYaml .Values.initContainers | nindent 8 }} @@ -58,6 +62,8 @@ spec: envFrom: - configMapRef: name: {{ include "vaultwarden.fullname" . }} + securityContext: + allowPrivilegeEscalation: false env: {{- if or (.Values.smtp.username.value) (.Values.smtp.username.existingSecretKey )}} - name: SMTP_USERNAME diff --git a/charts/vaultwarden/charts/vaultwarden/values.yaml b/charts/vaultwarden/charts/vaultwarden/values.yaml index 4eab242..50fbfeb 100644 --- a/charts/vaultwarden/charts/vaultwarden/values.yaml +++ b/charts/vaultwarden/charts/vaultwarden/values.yaml @@ -118,6 +118,15 @@ serviceAccount: name: "vaultwarden-svc" +## @param runAsUser user ID for VaultWarden and backup run with +## +runAsUser: 1100 + +## @param runAsGroup group ID for VaultWarden and backup run with +## Same as default user for vaultwarden-backup +runAsGroup: 1100 + + ## @section Exposure Parameters ##