diff --git a/stable/code-server/3.0.11/CHANGELOG.md b/stable/code-server/3.0.12/CHANGELOG.md
similarity index 88%
rename from stable/code-server/3.0.11/CHANGELOG.md
rename to stable/code-server/3.0.12/CHANGELOG.md
index 3d97c9cf49..7e34292a6e 100644
--- a/stable/code-server/3.0.11/CHANGELOG.md
+++ b/stable/code-server/3.0.12/CHANGELOG.md
@@ -1,6 +1,15 @@
# Changelog
+
+### [code-server-3.0.12](https://github.com/truecharts/apps/compare/code-server-3.0.11...code-server-3.0.12) (2022-04-04)
+
+#### Fix
+
+* correctly set the run-as-root things ([#2425](https://github.com/truecharts/apps/issues/2425))
+
+
+
### [code-server-3.0.11](https://github.com/truecharts/apps/compare/openvscode-server-1.0.10...code-server-3.0.11) (2022-04-03)
@@ -88,12 +97,3 @@
* update helm general non-major helm releases ([#1999](https://github.com/truecharts/apps/issues/1999))
-
-
-### [code-server-2.1.28](https://github.com/truecharts/apps/compare/openvscode-server-0.0.27...code-server-2.1.28) (2022-02-28)
-
-#### Chore
-
-* rename `web_portal` to `open` ([#1957](https://github.com/truecharts/apps/issues/1957))
-* update docker general non-major ([#1980](https://github.com/truecharts/apps/issues/1980))
-
diff --git a/stable/code-server/3.0.11/CONFIG.md b/stable/code-server/3.0.12/CONFIG.md
similarity index 100%
rename from stable/code-server/3.0.11/CONFIG.md
rename to stable/code-server/3.0.12/CONFIG.md
diff --git a/stable/code-server/3.0.11/Chart.lock b/stable/code-server/3.0.12/Chart.lock
similarity index 80%
rename from stable/code-server/3.0.11/Chart.lock
rename to stable/code-server/3.0.12/Chart.lock
index 1f2f2793d3..b7ddcd97a1 100644
--- a/stable/code-server/3.0.11/Chart.lock
+++ b/stable/code-server/3.0.12/Chart.lock
@@ -3,4 +3,4 @@ dependencies:
repository: https://library-charts.truecharts.org
version: 9.2.7
digest: sha256:927fec2499d55b3de8a7522d936aaf4f21f668370deb33239fb06f12051ff5b1
-generated: "2022-04-03T15:54:16.360335891Z"
+generated: "2022-04-04T20:13:12.318829193Z"
diff --git a/stable/code-server/3.0.11/Chart.yaml b/stable/code-server/3.0.12/Chart.yaml
similarity index 97%
rename from stable/code-server/3.0.11/Chart.yaml
rename to stable/code-server/3.0.12/Chart.yaml
index 70b7fb66ef..fb29241231 100644
--- a/stable/code-server/3.0.11/Chart.yaml
+++ b/stable/code-server/3.0.12/Chart.yaml
@@ -21,7 +21,7 @@ name: code-server
sources:
- https://github.com/cdr/code-server
type: application
-version: 3.0.11
+version: 3.0.12
annotations:
truecharts.org/catagories: |
- media
diff --git a/stable/code-server/3.0.11/README.md b/stable/code-server/3.0.12/README.md
similarity index 100%
rename from stable/code-server/3.0.11/README.md
rename to stable/code-server/3.0.12/README.md
diff --git a/stable/code-server/3.0.11/app-readme.md b/stable/code-server/3.0.12/app-readme.md
similarity index 100%
rename from stable/code-server/3.0.11/app-readme.md
rename to stable/code-server/3.0.12/app-readme.md
diff --git a/stable/code-server/3.0.11/charts/common-9.2.7.tgz b/stable/code-server/3.0.12/charts/common-9.2.7.tgz
similarity index 100%
rename from stable/code-server/3.0.11/charts/common-9.2.7.tgz
rename to stable/code-server/3.0.12/charts/common-9.2.7.tgz
diff --git a/stable/code-server/3.0.11/helm-values.md b/stable/code-server/3.0.12/helm-values.md
similarity index 90%
rename from stable/code-server/3.0.11/helm-values.md
rename to stable/code-server/3.0.12/helm-values.md
index af5ae436f1..1b4e3e5d1e 100644
--- a/stable/code-server/3.0.11/helm-values.md
+++ b/stable/code-server/3.0.12/helm-values.md
@@ -21,8 +21,11 @@ You will, however, be able to use all values referenced in the common chart here
| image.tag | string | `"v4.2.0@sha256:82e2d802e59b26954096529aa08e83bebd2004da664fee9ab6c911e4f5ab6c48"` | |
| persistence.config.enabled | bool | `true` | |
| persistence.config.mountPath | string | `"/config"` | |
+| podSecurityContext.runAsGroup | int | `0` | |
+| podSecurityContext.runAsUser | int | `0` | |
| securityContext.allowPrivilegeEscalation | bool | `true` | |
| securityContext.readOnlyRootFilesystem | bool | `false` | |
+| securityContext.runAsNonRoot | bool | `false` | |
| service.main.ports.main.port | int | `10063` | |
| service.main.ports.main.targetPort | int | `8080` | |
diff --git a/stable/code-server/3.0.11/ix_values.yaml b/stable/code-server/3.0.12/ix_values.yaml
similarity index 87%
rename from stable/code-server/3.0.11/ix_values.yaml
rename to stable/code-server/3.0.12/ix_values.yaml
index a61846e127..4b73bc242d 100644
--- a/stable/code-server/3.0.11/ix_values.yaml
+++ b/stable/code-server/3.0.12/ix_values.yaml
@@ -15,6 +15,11 @@ env: {}
securityContext:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
+ runAsNonRoot: false
+
+podSecurityContext:
+ runAsUser: 0
+ runAsGroup: 0
service:
main:
diff --git a/stable/code-server/3.0.11/questions.yaml b/stable/code-server/3.0.12/questions.yaml
similarity index 99%
rename from stable/code-server/3.0.11/questions.yaml
rename to stable/code-server/3.0.12/questions.yaml
index f1976c6270..b7167a62bc 100644
--- a/stable/code-server/3.0.11/questions.yaml
+++ b/stable/code-server/3.0.12/questions.yaml
@@ -1464,12 +1464,12 @@ questions:
label: "Allow Privilege Escalation"
schema:
type: boolean
- default: false
+ default: true
- variable: runAsNonRoot
label: "runAsNonRoot"
schema:
type: boolean
- default: false
+ default: true
- variable: capabilities
label: "Capabilities"
schema:
diff --git a/stable/code-server/3.0.11/security.md b/stable/code-server/3.0.12/security.md
similarity index 99%
rename from stable/code-server/3.0.11/security.md
rename to stable/code-server/3.0.12/security.md
index 29279b570c..785283b42f 100644
--- a/stable/code-server/3.0.11/security.md
+++ b/stable/code-server/3.0.12/security.md
@@ -22,6 +22,7 @@ hide:
| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'RELEASE-NAME-code-server' of Deployment 'RELEASE-NAME-code-server' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
|
| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW | Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'hostpatch' of Deployment 'RELEASE-NAME-code-server' should add 'ALL' to 'securityContext.capabilities.drop' | Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
|
| Kubernetes Security Check | KSV011 | CPU not limited | LOW | Expand...
Enforcing CPU limits prevents DoS via resource exhaustion.
Container 'hostpatch' of Deployment 'RELEASE-NAME-code-server' should set 'resources.limits.cpu' | Expand...
https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits
https://avd.aquasec.com/appshield/ksv011
|
+| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'RELEASE-NAME-code-server' of Deployment 'RELEASE-NAME-code-server' should set 'securityContext.runAsNonRoot' to true | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
|
| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'autopermissions' of Deployment 'RELEASE-NAME-code-server' should set 'securityContext.runAsNonRoot' to true | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
|
| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM | Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'hostpatch' of Deployment 'RELEASE-NAME-code-server' should set 'securityContext.runAsNonRoot' to true | Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
|
| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW | Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'RELEASE-NAME-code-server' of Deployment 'RELEASE-NAME-code-server' should set 'securityContext.readOnlyRootFilesystem' to true | Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
|
@@ -59,6 +60,8 @@ hide:
| Package | Vulnerability | Severity | Installed Version | Fixed Version | Links |
|:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------|
+| busybox | CVE-2022-28391 | UNKNOWN | 1.34.1-r4 | 1.34.1-r5 | Expand...
https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
|
+| ssl_client | CVE-2022-28391 | UNKNOWN | 1.34.1-r4 | 1.34.1-r5 | Expand...
https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
|
| zlib | CVE-2018-25032 | HIGH | 1.2.11-r3 | 1.2.12-r0 | Expand...
http://www.openwall.com/lists/oss-security/2022/03/25/2
http://www.openwall.com/lists/oss-security/2022/03/26/1
https://access.redhat.com/security/cve/CVE-2018-25032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
https://github.com/madler/zlib/issues/605
https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
https://ubuntu.com/security/notices/USN-5355-1
https://ubuntu.com/security/notices/USN-5355-2
https://ubuntu.com/security/notices/USN-5359-1
https://www.debian.org/security/2022/dsa-5111
https://www.openwall.com/lists/oss-security/2022/03/24/1
https://www.openwall.com/lists/oss-security/2022/03/28/1
https://www.openwall.com/lists/oss-security/2022/03/28/3
|
@@ -70,6 +73,8 @@ hide:
| Package | Vulnerability | Severity | Installed Version | Fixed Version | Links |
|:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------|
+| busybox | CVE-2022-28391 | UNKNOWN | 1.34.1-r4 | 1.34.1-r5 | Expand...
https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
|
+| ssl_client | CVE-2022-28391 | UNKNOWN | 1.34.1-r4 | 1.34.1-r5 | Expand...
https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
|
| zlib | CVE-2018-25032 | HIGH | 1.2.11-r3 | 1.2.12-r0 | Expand...
http://www.openwall.com/lists/oss-security/2022/03/25/2
http://www.openwall.com/lists/oss-security/2022/03/26/1
https://access.redhat.com/security/cve/CVE-2018-25032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
https://github.com/madler/zlib/issues/605
https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
https://ubuntu.com/security/notices/USN-5355-1
https://ubuntu.com/security/notices/USN-5355-2
https://ubuntu.com/security/notices/USN-5359-1
https://www.debian.org/security/2022/dsa-5111
https://www.openwall.com/lists/oss-security/2022/03/24/1
https://www.openwall.com/lists/oss-security/2022/03/28/1
https://www.openwall.com/lists/oss-security/2022/03/28/3
|
diff --git a/stable/code-server/3.0.11/templates/common.yaml b/stable/code-server/3.0.12/templates/common.yaml
similarity index 100%
rename from stable/code-server/3.0.11/templates/common.yaml
rename to stable/code-server/3.0.12/templates/common.yaml
diff --git a/stable/code-server/3.0.11/values.yaml b/stable/code-server/3.0.12/values.yaml
similarity index 100%
rename from stable/code-server/3.0.11/values.yaml
rename to stable/code-server/3.0.12/values.yaml