move to distroless images

Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>

charts/kubescape-cloud-operator/templates/gateway/deployment.yaml

@@ -40,14 +40,17 @@ spec:
       imagePullSecrets:
       - name: {{ toYaml .Values.imagePullSecrets }}
       {{- end }}
+      securityContext:
+        runAsUser: 65532
+        fsGroup: 65532
       containers:
         - name: {{ .Values.gateway.name }}
           image: "{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag }}"
           imagePullPolicy: {{ .Values.gateway.image.pullPolicy }}
           securityContext:
             allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
             runAsNonRoot: true
-            runAsUser: 100            
           livenessProbe:
             httpGet:
               path: /v1/liveness

charts/kubescape-cloud-operator/templates/kubescape/deployment.yaml

@@ -45,14 +45,17 @@ spec:
       imagePullSecrets:
       - name: {{ toYaml .Values.imagePullSecrets }}
       {{- end }}
+      securityContext:
+        runAsUser: 65532
+        fsGroup: 65532
       containers:
       - name: kubescape
         image: "{{ .Values.kubescape.image.repository }}:{{ .Values.kubescape.image.tag }}"
         imagePullPolicy: "{{ .Values.kubescape.image.pullPolicy }}"
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           runAsNonRoot: true
-          runAsUser: 100
         ports:
           - name: http
             containerPort: 8080

charts/kubescape-cloud-operator/templates/kubevuln/deployment.yaml

@@ -42,8 +42,8 @@ spec:
       - name: {{ toYaml .Values.imagePullSecrets }}
       {{- end }}
       securityContext:
-        runAsUser: 100
-        fsGroup: 101
+        runAsUser: 65532
+        fsGroup: 65532
       containers:
         - name: {{ .Values.kubevuln.name }}
           image: "{{ .Values.kubevuln.image.repository }}:{{ .Values.kubevuln.image.tag }}"
@@ -100,12 +100,12 @@ spec:
             - name: tmp-dir
               mountPath: /tmp
             - name: grype-db-cache
-              mountPath: /home/ks/anchore-resources/db
+              mountPath: /home/nonroot/anchore-resources/db
             - name: {{ .Values.global.cloudConfig }}
               mountPath: /etc/config
               readOnly: true
-            - name: "grype-db"
-              mountPath: "/home/ks/.cache/grype"
+            - name: grype-db
+              mountPath: /home/nonroot/.cache/grype
 {{- if .Values.volumeMounts }}
 {{ toYaml .Values.volumeMounts | indent 12 }}
 {{- end }}

charts/kubescape-cloud-operator/templates/operator/deployment.yaml

@@ -42,6 +42,9 @@ spec:
       imagePullSecrets:
       - name: {{ toYaml .Values.imagePullSecrets }}
       {{- end }}
+      securityContext:
+        runAsUser: 65532
+        fsGroup: 65532
       containers:
         - name: {{ .Values.operator.name }}
           image: "{{ .Values.operator.image.repository }}:{{ .Values.operator.image.tag }}"
@@ -50,7 +53,6 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            runAsUser: 100
           ports:
             - name: "trigger-port"
               containerPort: 4002

charts/kubescape-cloud-operator/templates/storage/deployment.yaml

@@ -24,8 +24,18 @@ spec:
     spec:
       serviceAccountName: {{ .Values.storage.name }}
       securityContext:
-        runAsUser: 100
-        fsGroup: 101
+        runAsUser: 65532
+        fsGroup: 65532
+      initContainers:
+        - name: fix-permissions
+          image: busybox
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsUser: 0
+          command: ["sh", "-c", "chown -Rc 65532:65532 /data"]
+          volumeMounts:
+            - name: "data"
+              mountPath: "/data"
       containers:
       - name: apiserver
         image: {{ printf "%s:%s" .Values.storage.image.repository .Values.storage.image.tag  | quote }}

charts/kubescape-cloud-operator/values.yaml

@@ -161,7 +161,7 @@ kubescape:
   image:
     # -- source code: https://github.com/kubescape/kubescape/tree/master/httphandler (public repo)
     repository: quay.io/kubescape/kubescape
-    tag: v2.3.8-hotfix
+    tag: v2.3.9-testing
     pullPolicy: IfNotPresent
 
   resources:
@@ -228,7 +228,7 @@ operator:
   image:
     # -- source code: https://github.com/kubescape/operator
     repository: quay.io/kubescape/operator
-    tag: v0.1.31-prerelease
+    tag: v0.1.35
     pullPolicy: IfNotPresent
 
   service:
@@ -311,7 +311,7 @@ kubevuln:
   image:
     # -- source code: https://github.com/kubescape/kubevuln
     repository: quay.io/kubescape/kubevuln
-    tag: v0.2.99
+    tag: v0.2.103
     pullPolicy: IfNotPresent
 
   replicaCount: 1
@@ -416,7 +416,7 @@ gateway:
   image:
     # -- source code: https://github.com/kubescape/gateway
     repository: quay.io/kubescape/gateway
-    tag: v0.1.13
+    tag: v0.1.14
     pullPolicy: IfNotPresent
 
   replicaCount: 1
@@ -560,9 +560,9 @@ storage:
 
   replicaCount: 1
   image:
-    pullPolicy: "IfNotPresent"
-    repository: "quay.io/kubescape/storage"
-    tag: "v0.0.8"
+    repository: quay.io/kubescape/storage
+    tag: v0.0.12
+    pullPolicy: IfNotPresent
 
 grypeOfflineDB:
   enabled: false
@@ -586,7 +586,7 @@ nodeAgent:
   name: node-agent
   image:
     repository: quay.io/kubescape/node-agent
-    tag: v0.1.93
+    tag: v0.1.96
     pullPolicy: IfNotPresent
 
   config: