Improve security defaults

charts/kured/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "1.13.2"
 description: A Helm chart for kured
 name: kured
-version: 4.7.0
+version: 5.0.0
 home: https://github.com/kubereboot/kured
 maintainers:
   - name: ckotzbauer

charts/kured/README.md

@@ -23,6 +23,13 @@ The command removes all the Kubernetes components associated with the chart and
 
 ## Upgrade Notes
 
+### From 4.x to 5.x
+
+We improved two security-related default-values:
+- `hostNetwork` is set to `false` by default now.
+- `readOnlyRootFilesystem` is set to `true` by default now.
+Both parameters can be configured to its old values from 4.x
+
 ### From 3.x to 4.x
 
 We have migrated the code and its release artifacts (helm charts, docker images, manifests) to an
@@ -111,7 +118,7 @@ The following changes have been made compared to the stable chart:
 | `serviceAccount.name`                   | Service account name to create (or use if `serviceAccount.create` is false) | (chart fullname)          |
 | `podSecurityPolicy.create`              | Create podSecurityPolicy                                                    | `false`                   |
 | `containerSecurityContext.privileged `  | Enables `privileged` in container-specific security context                 | `true`                    |
-| `containerSecurityContext.allowPrivilegeEscalation`| Enables `allowPrivilegeEscalation` in container-specific security context. If not set it won't be configured. |  |
+| `containerSecurityContext.readOnlyRootFilesystem`| Enables `readOnlyRootFilesystem` in container-specific security context. If not set it won't be configured. | `true`  |
 | `resources`             | Resources requests and limits.                                                              | `{}`                      |
 | `metrics.create`        | Create a ServiceMonitor for prometheus-operator                                             | `false`                   |
 | `metrics.namespace`     | The namespace to create the ServiceMonitor in                                               | `""`                      |
@@ -128,7 +135,7 @@ The following changes have been made compared to the stable chart:
 | `priorityClassName`     | Priority Class to be used by the pods                                                       | `""`                      |
 | `tolerations`           | Tolerations to apply to the daemonset (eg to allow running on master)                       | `[{"key": "node-role.kubernetes.io/control-plane", "effect": "NoSchedule"}]` for Kubernetes 1.24.0 and greater, otherwise `[{"key": "node-role.kubernetes.io/master", "effect": "NoSchedule"}]`|
 | `affinity`              | Affinity for the daemonset (ie, restrict which nodes kured runs on)                         | `{}`                      |
-| `hostNetwork`           | Pod uses the host network instead of the cluster network                                    | `true`                    |
+| `hostNetwork`           | Pod uses the host network instead of the cluster network                                    | `false`                   |
 | `nodeSelector`          | Node Selector for the daemonset (ie, restrict which nodes kured runs on)                    | `{ "kubernetes.io/os": "linux" }` |
 | `volumeMounts`          | Maps of volumes mount to mount                                                              | `{}`                      |
 | `volumes`               | Maps of volumes to mount                                                                    | `{}`                      |

charts/kured/values.yaml

@@ -70,11 +70,12 @@ podSecurityPolicy:
 
 containerSecurityContext:
   privileged: true  # Give permission to nsenter /proc/1/ns/mnt
+  readOnlyRootFilesystem: true
 #  allowPrivilegeEscalation: true # Needed when using defaultAllowPrivilegedEscalation: false in psp
 
 resources: {}
 
-hostNetwork: true
+hostNetwork: false
 
 metrics:
   create: false