Page MenuHomePhabricator

Update all helm modules and charts to be compatible with the restricted PSS
Open, HighPublic

Description

We need to update all helm chart modules (and all charts ofc.) to be compatible with the restricted PSS profile.

As far as I can tell rn this is mostly adding a proper securityContext to all containers:

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
     drop:
     - ALL
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault

There is another "update everything" task at: T346638: Rename the envoy's uses_ingress option to sets_sni to cross check for synergy effects...

Missing charts/deployments:

  • spark-operator @BTullis || @brouberol
  • mediawiki-dev (we probably don't really need to do this, but might be wise for consistency)
  • mediawiki

Details

SubjectRepoBranchLines +/-
operations/deployment-chartsmaster+0 -19
operations/deployment-chartsmaster+15 -5
operations/deployment-chartsmaster+198 -59
operations/deployment-chartsmaster+22 -2
operations/deployment-chartsmaster+17 -2
operations/deployment-chartsmaster+22 -5
operations/deployment-chartsmaster+2 -1
operations/deployment-chartsmaster+163 -64
operations/deployment-chartsmaster+75 -6
operations/deployment-chartsmaster+30 -13
operations/deployment-chartsmaster+51 -29
operations/deployment-chartsmaster+34 -14
operations/deployment-chartsmaster+12 -1
operations/deployment-chartsmaster+31 -13
operations/deployment-chartsmaster+250 -108
operations/deployment-chartsmaster+26 -9
operations/deployment-chartsmaster+262 -115
operations/deployment-chartsmaster+291 -126
operations/deployment-chartsmaster+266 -103
operations/deployment-chartsmaster+272 -108
operations/deployment-chartsmaster+175 -85
operations/deployment-chartsmaster+1 K -1 K
operations/deployment-chartsmaster+286 -128
operations/deployment-chartsmaster+9 -1
operations/deployment-chartsmaster+1 -1
operations/deployment-chartsmaster+141 -43
operations/deployment-chartsmaster+141 -43
operations/deployment-chartsmaster+162 -49
operations/deployment-chartsmaster+235 -114
operations/deployment-chartsmaster+48 -27
operations/deployment-chartsmaster+287 -102
operations/deployment-chartsmaster+29 -10
operations/deployment-chartsmaster+29 -10
operations/deployment-chartsmaster+144 -79
operations/deployment-chartsmaster+149 -82
operations/deployment-chartsmaster+277 -179
operations/deployment-chartsmaster+159 -96
operations/deployment-chartsmaster+201 -102
operations/deployment-chartsmaster+27 -10
operations/deployment-chartsmaster+270 -143
operations/deployment-chartsmaster+172 -79
operations/deployment-chartsmaster+1 -1
operations/deployment-chartsmaster+79 -172
operations/deployment-chartsmaster+172 -79
operations/deployment-chartsmaster+140 -66
operations/deployment-chartsmaster+31 -16
operations/deployment-chartsmaster+161 -96
operations/deployment-chartsmaster+67 -19
operations/deployment-chartsmaster+257 -139
operations/deployment-chartsmaster+82 -26
operations/deployment-chartsmaster+24 -9
operations/deployment-chartsmaster+138 -71
operations/deployment-chartsmaster+25 -9
operations/deployment-chartsmaster+151 -86
operations/deployment-chartsmaster+2 -2
operations/deployment-chartsmaster+78 -0
operations/deployment-chartsmaster+24 -9
operations/deployment-chartsmaster+32 -7
operations/deployment-chartsmaster+42 -37
operations/deployment-chartsmaster+1 K -0
Show related patches Customize query in gerrit

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Change #1026556 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] modules: Add restrictedSecurityContext to statsd

https://gerrit.wikimedia.org/r/1026556

Change #1026555 merged by jenkins-bot:

[operations/deployment-charts@master] New version of statds module

https://gerrit.wikimedia.org/r/1026555

Change #1026556 merged by jenkins-bot:

[operations/deployment-charts@master] modules: Add restrictedSecurityContext to statsd

https://gerrit.wikimedia.org/r/1026556

Change #1026954 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/deployment-charts@master] kserve-inference: add securityContext explicit config

https://gerrit.wikimedia.org/r/1026954

Change #1027050 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] mathoid: add securityContext to all containers

https://gerrit.wikimedia.org/r/1027050

Change #1027050 merged by jenkins-bot:

[operations/deployment-charts@master] mathoid: add securityContext to all containers

https://gerrit.wikimedia.org/r/1027050

Change #1028604 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] apertium: add securityContext to all containers

https://gerrit.wikimedia.org/r/1028604

Change #1028605 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] api-gateway: add securityContext to all containers

https://gerrit.wikimedia.org/r/1028605

Change #1028604 merged by jenkins-bot:

[operations/deployment-charts@master] apertium: add securityContext to all containers

https://gerrit.wikimedia.org/r/1028604

Change #1028910 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] benthos: add securityContext to all containers

https://gerrit.wikimedia.org/r/1028910

Change #1028911 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] blubberoid: add securityContext to all containers

https://gerrit.wikimedia.org/r/1028911

Change #1028605 merged by jenkins-bot:

[operations/deployment-charts@master] api-gateway: add securityContext to all containers

https://gerrit.wikimedia.org/r/1028605

Change #1030190 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] changeprop: add securityContext to all containers

https://gerrit.wikimedia.org/r/1030190

Change #1030191 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] citoid: add securityContext to all containers

https://gerrit.wikimedia.org/r/1030191

Change #1030195 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] cxserver: add securityContext to all containers

https://gerrit.wikimedia.org/r/1030195

Change #1028911 merged by jenkins-bot:

[operations/deployment-charts@master] blubberoid: add securityContext to all containers

https://gerrit.wikimedia.org/r/1028911

Change #1031105 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] DNM: ipiod: ensure all containers have securityContext

https://gerrit.wikimedia.org/r/1031105

Change #1031497 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] aqs-http-gateway: add securityContext to all containers

https://gerrit.wikimedia.org/r/1031497

Change #1028910 merged by jenkins-bot:

[operations/deployment-charts@master] benthos: adopt securityContext and base.external-services-networkpolicy

https://gerrit.wikimedia.org/r/1028910

Change #1032519 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] push-notifications: add securityContext to all containers

https://gerrit.wikimedia.org/r/1032519

Change #1032523 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] zotero: Update various modules

https://gerrit.wikimedia.org/r/1032523

Change #1032524 had a related patch set uploaded (by RLazarus; author: RLazarus):

[operations/deployment-charts@master] tegola-vector-tiles: Dependency updates

https://gerrit.wikimedia.org/r/1032524

Change #1032525 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):

[operations/deployment-charts@master] miscweb: Update various modules

https://gerrit.wikimedia.org/r/1032525

Change #1032523 merged by jenkins-bot:

[operations/deployment-charts@master] zotero: Ensure containers have a securityContext

https://gerrit.wikimedia.org/r/1032523

Change #1032714 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] [WIP] Global update of test-service-checker template

https://gerrit.wikimedia.org/r/1032714

Change #1032764 had a related patch set uploaded (by Kamila Součková; author: Kamila Součková):

[operations/deployment-charts@master] recommendation-api: add securityContext

https://gerrit.wikimedia.org/r/1032764

Change #1032779 had a related patch set uploaded (by Alexandros Kosiaris; author: Alexandros Kosiaris):

[operations/deployment-charts@master] mobileapps: Use mesh modules version enabling IPv6

https://gerrit.wikimedia.org/r/1032779

Change #1032779 merged by jenkins-bot:

[operations/deployment-charts@master] mobileapps: Use mesh modules version enabling IPv6

https://gerrit.wikimedia.org/r/1032779

Change #1030191 merged by jenkins-bot:

[operations/deployment-charts@master] citoid: add securityContext to all containers

https://gerrit.wikimedia.org/r/1030191

Change #1030195 merged by jenkins-bot:

[operations/deployment-charts@master] cxserver: add securityContext to all containers

https://gerrit.wikimedia.org/r/1030195

Change #1032764 merged by jenkins-bot:

[operations/deployment-charts@master] recommendation-api: add securityContext

https://gerrit.wikimedia.org/r/1032764

Change #1031497 merged by jenkins-bot:

[operations/deployment-charts@master] aqs-http-gateway: add securityContext to all containers

https://gerrit.wikimedia.org/r/1031497

Change #1035017 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] Revert "aqs-http-gateway: add securityContext to all containers"

https://gerrit.wikimedia.org/r/1035017

Change #1035017 merged by jenkins-bot:

[operations/deployment-charts@master] Revert "aqs-http-gateway: add securityContext to all containers"

https://gerrit.wikimedia.org/r/1035017

Change #1035020 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] aqs-http-gateway: no-op chart version bump after revert

https://gerrit.wikimedia.org/r/1035020

Change #1035020 merged by jenkins-bot:

[operations/deployment-charts@master] aqs-http-gateway: no-op chart version bump after revert

https://gerrit.wikimedia.org/r/1035020

Change #1035466 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] aqs-http-gateway: add securityContext to all containers (attempt 2)

https://gerrit.wikimedia.org/r/1035466

Change #1035466 merged by jenkins-bot:

[operations/deployment-charts@master] aqs-http-gateway: add securityContext to all containers (attempt 2)

https://gerrit.wikimedia.org/r/1035466

Change #1032524 merged by jenkins-bot:

[operations/deployment-charts@master] tegola-vector-tiles: Add securityContext and update dependencies

https://gerrit.wikimedia.org/r/1032524

Change #1037162 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] function-evaluator: ensure all containers have securityContext

https://gerrit.wikimedia.org/r/1037162

Change #1037163 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] function-orchestrator: ensure all containers have securityContext

https://gerrit.wikimedia.org/r/1037163

Change #1037164 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] wikifeeds: ensure all containers have securityContext

https://gerrit.wikimedia.org/r/1037164

Change #1037165 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] toolhub: ensure all containers have securityContext

https://gerrit.wikimedia.org/r/1037165

Change #1037166 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] thumbor: add securityContext to all containers

https://gerrit.wikimedia.org/r/1037166

Change #1037193 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] termbox: add securityContext to all containers

https://gerrit.wikimedia.org/r/1037193

Change #1037194 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] similar-users: add securityContext to all containers

https://gerrit.wikimedia.org/r/1037194

Change #1037195 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] kask: add securityContext to all containers

https://gerrit.wikimedia.org/r/1037195

Change #1037196 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] chromium-render: add securityContext to all containers

https://gerrit.wikimedia.org/r/1037196

Change #1037615 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] shellbox: add securityContext to all containers

https://gerrit.wikimedia.org/r/1037615

Change #1037861 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] eventstreams: add securityContext to all production containers

https://gerrit.wikimedia.org/r/1037861

Change #1030190 merged by jenkins-bot:

[operations/deployment-charts@master] changeprop: add securityContext to all containers

https://gerrit.wikimedia.org/r/1030190

Change #1031105 merged by jenkins-bot:

[operations/deployment-charts@master] ipoid: ensure all containers have securityContext

https://gerrit.wikimedia.org/r/1031105

Change #1039727 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] flink-app: Update various modules

https://gerrit.wikimedia.org/r/1039727

Change #1037194 abandoned by Scott French:

[operations/deployment-charts@master] similar-users: add securityContext to all containers

Reason:

Turndown planned in https://phabricator.wikimedia.org/T345274

https://gerrit.wikimedia.org/r/1037194

Change #1039727 merged by jenkins-bot:

[operations/deployment-charts@master] flink-app: Update various modules

https://gerrit.wikimedia.org/r/1039727

Change #1032525 merged by jenkins-bot:

[operations/deployment-charts@master] miscweb: Update various modules

https://gerrit.wikimedia.org/r/1032525

Change #1037196 merged by jenkins-bot:

[operations/deployment-charts@master] chromium-render: add securityContext to all containers

https://gerrit.wikimedia.org/r/1037196

Change #1040220 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] admin_ng: bump CPU resourcequota for proton

https://gerrit.wikimedia.org/r/1040220

Change #1040221 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] proton: drop replicas from 12 to 10

https://gerrit.wikimedia.org/r/1040221

Change #1032519 merged by jenkins-bot:

[operations/deployment-charts@master] push-notifications: add securityContext to all containers

https://gerrit.wikimedia.org/r/1032519

Change #1037163 merged by jenkins-bot:

[operations/deployment-charts@master] function-orchestrator: ensure all containers have securityContext

https://gerrit.wikimedia.org/r/1037163

Change #1037162 merged by jenkins-bot:

[operations/deployment-charts@master] function-evaluator: ensure all containers have securityContext

https://gerrit.wikimedia.org/r/1037162

Change #1041076 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] calculator-service: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041076

Change #1041070 merged by Brouberol:

[operations/deployment-charts@master] spark-history: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041070

Change #1041071 merged by Brouberol:

[operations/deployment-charts@master] echoserver: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041071

Change #1041119 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] datasets-config: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041119

Change #1041120 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] mpic: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041120

Change #1041120 merged by Brouberol:

[operations/deployment-charts@master] mpic: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041120

Change #1041119 merged by Brouberol:

[operations/deployment-charts@master] datasets-config: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041119

Change #1040221 merged by jenkins-bot:

[operations/deployment-charts@master] proton: drop replicas from 12 to 10

https://gerrit.wikimedia.org/r/1040221

Change #1040220 merged by jenkins-bot:

[operations/deployment-charts@master] admin_ng: bump CPU resourcequota for proton

https://gerrit.wikimedia.org/r/1040220

Change #1041161 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] flink-operator: add securityContext

https://gerrit.wikimedia.org/r/1041161

Change #1037165 merged by jenkins-bot:

[operations/deployment-charts@master] toolhub: ensure all containers have securityContext

https://gerrit.wikimedia.org/r/1037165

Change #1041049 merged by jenkins-bot:

[operations/deployment-charts@master] linkrecommendation: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041049

Change #1041039 merged by jenkins-bot:

[operations/deployment-charts@master] developer-portal: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041039

Change #1041055 merged by jenkins-bot:

[operations/deployment-charts@master] machinetranslation: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041055

Change #1041072 merged by jenkins-bot:

[operations/deployment-charts@master] python-webapp: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041072

Change #1037164 merged by jenkins-bot:

[operations/deployment-charts@master] wikifeeds: ensure all containers have securityContext

https://gerrit.wikimedia.org/r/1037164

Change #1041076 merged by jenkins-bot:

[operations/deployment-charts@master] calculator-service: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041076

Change #1037193 merged by jenkins-bot:

[operations/deployment-charts@master] termbox: add securityContext to all containers

https://gerrit.wikimedia.org/r/1037193

Change #1041161 merged by jenkins-bot:

[operations/deployment-charts@master] flink-operator: add securityContext

https://gerrit.wikimedia.org/r/1041161

Change #1037615 merged by jenkins-bot:

[operations/deployment-charts@master] shellbox: add securityContext to all containers

https://gerrit.wikimedia.org/r/1037615

Change #1038859 merged by jenkins-bot:

[operations/deployment-charts@master] mcrouter: Bump chart modules

https://gerrit.wikimedia.org/r/1038859

Change #1037861 merged by jenkins-bot:

[operations/deployment-charts@master] eventstreams: add securityContext to all production containers

https://gerrit.wikimedia.org/r/1037861

Change #1037195 merged by jenkins-bot:

[operations/deployment-charts@master] kask: add securityContext to all containers

https://gerrit.wikimedia.org/r/1037195

Change #1042256 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] toolhub: Add missing securityContext to CronJob

https://gerrit.wikimedia.org/r/1042256

Change #1032714 merged by jenkins-bot:

[operations/deployment-charts@master] Global update of test-service-checker template

https://gerrit.wikimedia.org/r/1032714

Change #1042256 merged by jenkins-bot:

[operations/deployment-charts@master] toolhub: Add missing securityContext to CronJob

https://gerrit.wikimedia.org/r/1042256

Change #1042440 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] mediawiki: add securityContext to all containers

https://gerrit.wikimedia.org/r/1042440

Change #1042838 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] spark-operator: add securityContext to all containers

https://gerrit.wikimedia.org/r/1042838

Change #1042838 merged by Brouberol:

[operations/deployment-charts@master] spark-operator: add securityContext to all containers

https://gerrit.wikimedia.org/r/1042838

Change #1043846 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] mediawiki-dev: add securityContext to all containers

https://gerrit.wikimedia.org/r/1043846

Change #1043846 merged by jenkins-bot:

[operations/deployment-charts@master] mediawiki-dev: add securityContext to all containers

https://gerrit.wikimedia.org/r/1043846

Change #1046692 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] mediawiki: enable securityContext in all canaries

https://gerrit.wikimedia.org/r/1046692

Change #1046693 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] mediawiki: enable securityContext everywhere

https://gerrit.wikimedia.org/r/1046693