cyralinc · antoniomrfranco · Jul 26, 2024 · Jul 24, 2024 · Jul 25, 2024 · Jul 25, 2024
diff --git a/README.md b/README.md
@@ -96,19 +96,18 @@ The command removes all the Kubernetes components associated with the chart and
 | `serviceAccount.automountServiceAccountToken`       | Auto-mount the service account token in the pod                                                                                  | `true`           |
 | `rbac.create`                                       | Create Role and RoleBinding                                                                                                      | `true`           |
 | `rbac.rules`                                        | Custom RBAC rules to set                                                                                                         | `[]`             |
-| `podSecurityContext.enabled`                        | Enabled Cyral Sidecar pods' Security Context                                                                                     | `false`          |
+| `podSecurityContext.enabled`                        | Enabled Cyral Sidecar pods' Security Context                                                                                     | `true`           |
 | `podSecurityContext.fsGroupChangePolicy`            | Set filesystem group change policy                                                                                               | `Always`         |
 | `podSecurityContext.sysctls`                        | Set kernel settings using the sysctl interface                                                                                   | `[]`             |
 | `podSecurityContext.supplementalGroups`             | Set filesystem extra groups                                                                                                      | `[]`             |
 | `podSecurityContext.fsGroup`                        | Set Cyral Sidecar pod's Security Context fsGroup                                                                                 | `1001`           |
-| `containerSecurityContext.enabled`                  | Enabled containers' Security Context                                                                                             | `false`          |
+| `containerSecurityContext.enabled`                  | Enabled containers' Security Context                                                                                             | `true`           |
 | `containerSecurityContext.seLinuxOptions`           | Set SELinux options in container                                                                                                 | `nil`            |
-| `containerSecurityContext.runAsUser`                | Set containers' Security Context runAsUser                                                                                       | `1001`           |
+| `containerSecurityContext.runAsUser`                | Set containers' Security Context runAsUser                                                                                       | `65534`          |
 | `containerSecurityContext.runAsNonRoot`             | Set container's Security Context runAsNonRoot                                                                                    | `true`           |
 | `containerSecurityContext.privileged`               | Set container's Security Context privileged                                                                                      | `false`          |
 | `containerSecurityContext.readOnlyRootFilesystem`   | Set container's Security Context readOnlyRootFilesystem                                                                          | `false`          |
 | `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation                                                                        | `false`          |
-| `containerSecurityContext.capabilities.drop`        | List of capabilities to be dropped                                                                                               | `["ALL"]`        |
 | `containerSecurityContext.seccompProfile.type`      | Set container's Security Context seccomp profile                                                                                 | `RuntimeDefault` |
 | `containerPorts`                                    | Map of all ports inside Cyral Sidecar container                                                                                  | `{}`             |
 | `extraContainerPorts`                               | Array of additional container ports for the Cyral Sidecar container                                                              | `[]`             |

diff --git a/templates/deployment.yaml b/templates/deployment.yaml
@@ -45,6 +45,38 @@ spec:
       tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }}
       {{- end }}
       volumes:
+        - name: cyral-sidecar-supervisor
+          emptyDir: {}
+        - name: cyral-sidecar-fluentbit
+          emptyDir: {}
+        - name: cyral-sidecar-openresty
+          emptyDir: {}
+        - name: cyral-sidecar-openresty-local
+          emptyDir: {}
+        - name: cyral-sidecar-nginx
+          emptyDir: {}
+        - name: cyral-sidecar-ca-bundles
+          emptyDir: {}
+      initContainers:
+        - name: init-sidecar
+          image: {{ include "cyral.image" . }}
+          volumeMounts:
+            - name: cyral-sidecar-supervisor
+              mountPath: /supervisor-temp
+            - name: cyral-sidecar-fluentbit
+              mountPath: /fluentbit-temp
+            - name: cyral-sidecar-openresty-local
+              mountPath: /openresty-temp
+            - name: cyral-sidecar-nginx
+              mountPath: /nginx-temp
+          command:
+            - "sh"
+            - "-c"
+            - |
+              cp -R /etc/supervisor/. /supervisor-temp &&
+              cp -R /etc/fluent-bit/. /fluentbit-temp &&
+              cp -R /usr/local/openresty/. /openresty-temp &&
+              cp -R /etc/nginx/. /nginx-temp
       containers:
         - name: cyral-sidecar
           image: {{ include "cyral.image" . }}
@@ -134,6 +166,18 @@ spec:
           resources: {{- toYaml .Values.resources | nindent 12 }}
           {{- end }}
           volumeMounts:
+            - name: cyral-sidecar-supervisor
+              mountPath: /etc/supervisor
+            - name: cyral-sidecar-fluentbit
+              mountPath: /etc/fluent-bit
+            - name: cyral-sidecar-openresty
+              mountPath: /var/run/openresty
+            - name: cyral-sidecar-openresty-local
+              mountPath: /usr/local/openresty
+            - name: cyral-sidecar-nginx
+              mountPath: /etc/nginx
+            - name: cyral-sidecar-ca-bundles
+              mountPath: /etc/cyral/cyral-certificate-manager/bundles
             {{- if .Values.extraVolumeMounts }}
             {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
             {{- end }}
diff --git a/values.yaml b/values.yaml
@@ -181,14 +181,16 @@ rbac:
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
 ## @param podSecurityContext.enabled Enabled Cyral Sidecar pods' Security Context
 ## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
-## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
+## @param podSecurityContext.sysctls [array] Set kernel settings using the sysctl interface
 ## @param podSecurityContext.supplementalGroups Set filesystem extra groups
 ## @param podSecurityContext.fsGroup Set Cyral Sidecar pod's Security Context fsGroup
 ##
 podSecurityContext:
-  enabled: false
+  enabled: true
   fsGroupChangePolicy: Always
-  sysctls: []
+  sysctls:
+    - name: net.ipv4.ip_unprivileged_port_start
+      value: "0"
   supplementalGroups: []
   fsGroup: 1001
 ## Cyral Sidecar containers' Security Context.
@@ -200,19 +202,16 @@ podSecurityContext:
 ## @param containerSecurityContext.privileged Set container's Security Context privileged
 ## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
 ## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
-## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
 ## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
 ##
 containerSecurityContext:
-  enabled: false
+  enabled: true
   seLinuxOptions: null
-  runAsUser: 1001
+  runAsUser: 65534
   runAsNonRoot: true
   privileged: false
   readOnlyRootFilesystem: false
   allowPrivilegeEscalation: false
-  capabilities:
-    drop: ["ALL"]
   seccompProfile:
     type: "RuntimeDefault"
 ## Configures the ports Cyral Sidecar listens on