diff --git a/stable/code-server/3.0.11/CHANGELOG.md b/stable/code-server/3.0.12/CHANGELOG.md similarity index 88% rename from stable/code-server/3.0.11/CHANGELOG.md rename to stable/code-server/3.0.12/CHANGELOG.md index 3d97c9cf49..7e34292a6e 100644 --- a/stable/code-server/3.0.11/CHANGELOG.md +++ b/stable/code-server/3.0.12/CHANGELOG.md @@ -1,6 +1,15 @@ # Changelog
+ +### [code-server-3.0.12](https://github.com/truecharts/apps/compare/code-server-3.0.11...code-server-3.0.12) (2022-04-04) + +#### Fix + +* correctly set the run-as-root things ([#2425](https://github.com/truecharts/apps/issues/2425)) + + + ### [code-server-3.0.11](https://github.com/truecharts/apps/compare/openvscode-server-1.0.10...code-server-3.0.11) (2022-04-03) @@ -88,12 +97,3 @@ * update helm general non-major helm releases ([#1999](https://github.com/truecharts/apps/issues/1999)) - - -### [code-server-2.1.28](https://github.com/truecharts/apps/compare/openvscode-server-0.0.27...code-server-2.1.28) (2022-02-28) - -#### Chore - -* rename `web_portal` to `open` ([#1957](https://github.com/truecharts/apps/issues/1957)) -* update docker general non-major ([#1980](https://github.com/truecharts/apps/issues/1980)) - diff --git a/stable/code-server/3.0.11/CONFIG.md b/stable/code-server/3.0.12/CONFIG.md similarity index 100% rename from stable/code-server/3.0.11/CONFIG.md rename to stable/code-server/3.0.12/CONFIG.md diff --git a/stable/code-server/3.0.11/Chart.lock b/stable/code-server/3.0.12/Chart.lock similarity index 80% rename from stable/code-server/3.0.11/Chart.lock rename to stable/code-server/3.0.12/Chart.lock index 1f2f2793d3..b7ddcd97a1 100644 --- a/stable/code-server/3.0.11/Chart.lock +++ b/stable/code-server/3.0.12/Chart.lock @@ -3,4 +3,4 @@ dependencies: repository: https://library-charts.truecharts.org version: 9.2.7 digest: sha256:927fec2499d55b3de8a7522d936aaf4f21f668370deb33239fb06f12051ff5b1 -generated: "2022-04-03T15:54:16.360335891Z" +generated: "2022-04-04T20:13:12.318829193Z" diff --git a/stable/code-server/3.0.11/Chart.yaml b/stable/code-server/3.0.12/Chart.yaml similarity index 97% rename from stable/code-server/3.0.11/Chart.yaml rename to stable/code-server/3.0.12/Chart.yaml index 70b7fb66ef..fb29241231 100644 --- a/stable/code-server/3.0.11/Chart.yaml +++ b/stable/code-server/3.0.12/Chart.yaml @@ -21,7 +21,7 @@ name: code-server sources: - https://github.com/cdr/code-server type: application -version: 3.0.11 +version: 3.0.12 annotations: truecharts.org/catagories: | - media diff --git a/stable/code-server/3.0.11/README.md b/stable/code-server/3.0.12/README.md similarity index 100% rename from stable/code-server/3.0.11/README.md rename to stable/code-server/3.0.12/README.md diff --git a/stable/code-server/3.0.11/app-readme.md b/stable/code-server/3.0.12/app-readme.md similarity index 100% rename from stable/code-server/3.0.11/app-readme.md rename to stable/code-server/3.0.12/app-readme.md diff --git a/stable/code-server/3.0.11/charts/common-9.2.7.tgz b/stable/code-server/3.0.12/charts/common-9.2.7.tgz similarity index 100% rename from stable/code-server/3.0.11/charts/common-9.2.7.tgz rename to stable/code-server/3.0.12/charts/common-9.2.7.tgz diff --git a/stable/code-server/3.0.11/helm-values.md b/stable/code-server/3.0.12/helm-values.md similarity index 90% rename from stable/code-server/3.0.11/helm-values.md rename to stable/code-server/3.0.12/helm-values.md index af5ae436f1..1b4e3e5d1e 100644 --- a/stable/code-server/3.0.11/helm-values.md +++ b/stable/code-server/3.0.12/helm-values.md @@ -21,8 +21,11 @@ You will, however, be able to use all values referenced in the common chart here | image.tag | string | `"v4.2.0@sha256:82e2d802e59b26954096529aa08e83bebd2004da664fee9ab6c911e4f5ab6c48"` | | | persistence.config.enabled | bool | `true` | | | persistence.config.mountPath | string | `"/config"` | | +| podSecurityContext.runAsGroup | int | `0` | | +| podSecurityContext.runAsUser | int | `0` | | | securityContext.allowPrivilegeEscalation | bool | `true` | | | securityContext.readOnlyRootFilesystem | bool | `false` | | +| securityContext.runAsNonRoot | bool | `false` | | | service.main.ports.main.port | int | `10063` | | | service.main.ports.main.targetPort | int | `8080` | | diff --git a/stable/code-server/3.0.11/ix_values.yaml b/stable/code-server/3.0.12/ix_values.yaml similarity index 87% rename from stable/code-server/3.0.11/ix_values.yaml rename to stable/code-server/3.0.12/ix_values.yaml index a61846e127..4b73bc242d 100644 --- a/stable/code-server/3.0.11/ix_values.yaml +++ b/stable/code-server/3.0.12/ix_values.yaml @@ -15,6 +15,11 @@ env: {} securityContext: readOnlyRootFilesystem: false allowPrivilegeEscalation: true + runAsNonRoot: false + +podSecurityContext: + runAsUser: 0 + runAsGroup: 0 service: main: diff --git a/stable/code-server/3.0.11/questions.yaml b/stable/code-server/3.0.12/questions.yaml similarity index 99% rename from stable/code-server/3.0.11/questions.yaml rename to stable/code-server/3.0.12/questions.yaml index f1976c6270..b7167a62bc 100644 --- a/stable/code-server/3.0.11/questions.yaml +++ b/stable/code-server/3.0.12/questions.yaml @@ -1464,12 +1464,12 @@ questions: label: "Allow Privilege Escalation" schema: type: boolean - default: false + default: true - variable: runAsNonRoot label: "runAsNonRoot" schema: type: boolean - default: false + default: true - variable: capabilities label: "Capabilities" schema: diff --git a/stable/code-server/3.0.11/security.md b/stable/code-server/3.0.12/security.md similarity index 99% rename from stable/code-server/3.0.11/security.md rename to stable/code-server/3.0.12/security.md index 29279b570c..785283b42f 100644 --- a/stable/code-server/3.0.11/security.md +++ b/stable/code-server/3.0.12/security.md @@ -22,6 +22,7 @@ hide: | Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW |
Expand... The container should drop all default capabilities and add only those that are needed for its execution.


Container 'RELEASE-NAME-code-server' of Deployment 'RELEASE-NAME-code-server' should add 'ALL' to 'securityContext.capabilities.drop'
|
Expand...https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
| | Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW |
Expand... The container should drop all default capabilities and add only those that are needed for its execution.


Container 'hostpatch' of Deployment 'RELEASE-NAME-code-server' should add 'ALL' to 'securityContext.capabilities.drop'
|
Expand...https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
| | Kubernetes Security Check | KSV011 | CPU not limited | LOW |
Expand... Enforcing CPU limits prevents DoS via resource exhaustion.


Container 'hostpatch' of Deployment 'RELEASE-NAME-code-server' should set 'resources.limits.cpu'
|
Expand...https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits
https://avd.aquasec.com/appshield/ksv011
| +| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM |
Expand... 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.


Container 'RELEASE-NAME-code-server' of Deployment 'RELEASE-NAME-code-server' should set 'securityContext.runAsNonRoot' to true
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
| | Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM |
Expand... 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.


Container 'autopermissions' of Deployment 'RELEASE-NAME-code-server' should set 'securityContext.runAsNonRoot' to true
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
| | Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM |
Expand... 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.


Container 'hostpatch' of Deployment 'RELEASE-NAME-code-server' should set 'securityContext.runAsNonRoot' to true
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
| | Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW |
Expand... An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.


Container 'RELEASE-NAME-code-server' of Deployment 'RELEASE-NAME-code-server' should set 'securityContext.readOnlyRootFilesystem' to true
|
Expand...https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
| @@ -59,6 +60,8 @@ hide: | Package | Vulnerability | Severity | Installed Version | Fixed Version | Links | |:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------| +| busybox | CVE-2022-28391 | UNKNOWN | 1.34.1-r4 | 1.34.1-r5 |
Expand...https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
| +| ssl_client | CVE-2022-28391 | UNKNOWN | 1.34.1-r4 | 1.34.1-r5 |
Expand...https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
| | zlib | CVE-2018-25032 | HIGH | 1.2.11-r3 | 1.2.12-r0 |
Expand...http://www.openwall.com/lists/oss-security/2022/03/25/2
http://www.openwall.com/lists/oss-security/2022/03/26/1
https://access.redhat.com/security/cve/CVE-2018-25032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
https://github.com/madler/zlib/issues/605
https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
https://ubuntu.com/security/notices/USN-5355-1
https://ubuntu.com/security/notices/USN-5355-2
https://ubuntu.com/security/notices/USN-5359-1
https://www.debian.org/security/2022/dsa-5111
https://www.openwall.com/lists/oss-security/2022/03/24/1
https://www.openwall.com/lists/oss-security/2022/03/28/1
https://www.openwall.com/lists/oss-security/2022/03/28/3
| @@ -70,6 +73,8 @@ hide: | Package | Vulnerability | Severity | Installed Version | Fixed Version | Links | |:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------| +| busybox | CVE-2022-28391 | UNKNOWN | 1.34.1-r4 | 1.34.1-r5 |
Expand...https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
| +| ssl_client | CVE-2022-28391 | UNKNOWN | 1.34.1-r4 | 1.34.1-r5 |
Expand...https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
| | zlib | CVE-2018-25032 | HIGH | 1.2.11-r3 | 1.2.12-r0 |
Expand...http://www.openwall.com/lists/oss-security/2022/03/25/2
http://www.openwall.com/lists/oss-security/2022/03/26/1
https://access.redhat.com/security/cve/CVE-2018-25032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
https://github.com/madler/zlib/issues/605
https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
https://ubuntu.com/security/notices/USN-5355-1
https://ubuntu.com/security/notices/USN-5355-2
https://ubuntu.com/security/notices/USN-5359-1
https://www.debian.org/security/2022/dsa-5111
https://www.openwall.com/lists/oss-security/2022/03/24/1
https://www.openwall.com/lists/oss-security/2022/03/28/1
https://www.openwall.com/lists/oss-security/2022/03/28/3
| diff --git a/stable/code-server/3.0.11/templates/common.yaml b/stable/code-server/3.0.12/templates/common.yaml similarity index 100% rename from stable/code-server/3.0.11/templates/common.yaml rename to stable/code-server/3.0.12/templates/common.yaml diff --git a/stable/code-server/3.0.11/values.yaml b/stable/code-server/3.0.12/values.yaml similarity index 100% rename from stable/code-server/3.0.11/values.yaml rename to stable/code-server/3.0.12/values.yaml