feat(Glitchtip): add security context capabilites restriction

Signed-off-by: Philip Miglinci <[email protected]>

operator/src/main/kotlin/eu/glasskube/kubernetes/api/model/Creators.kt

@@ -2,6 +2,7 @@ package eu.glasskube.kubernetes.api.model
 
 import eu.glasskube.kubernetes.api.annotation.KubernetesDslMarker
 import io.fabric8.kubernetes.api.model.Affinity
+import io.fabric8.kubernetes.api.model.Capabilities
 import io.fabric8.kubernetes.api.model.ConfigMap
 import io.fabric8.kubernetes.api.model.ConfigMapEnvSource
 import io.fabric8.kubernetes.api.model.ConfigMapKeySelector
@@ -78,6 +79,10 @@ inline fun Container.securityContext(block: (@KubernetesDslMarker SecurityContex
     securityContext = SecurityContext().apply(block)
 }
 
+inline fun SecurityContext.capabilities(block: (@KubernetesDslMarker Capabilities).() -> Unit) {
+    capabilities = Capabilities().apply(block)
+}
+
 fun createEnv(block: (@KubernetesDslMarker MutableList<EnvVar>).() -> Unit) = mutableListOf<EnvVar>().apply(block)
 
 fun MutableList<EnvVar>.envVar(name: String, value: String) {

operator/src/main/kotlin/eu/glasskube/operator/apps/glitchtip/dependent/GlitchtipDeployment.kt

@@ -6,6 +6,7 @@ import eu.glasskube.kubernetes.api.model.apps.spec
 import eu.glasskube.kubernetes.api.model.apps.strategyRecreate
 import eu.glasskube.kubernetes.api.model.apps.strategyRollingUpdate
 import eu.glasskube.kubernetes.api.model.apps.template
+import eu.glasskube.kubernetes.api.model.capabilities
 import eu.glasskube.kubernetes.api.model.configMapRef
 import eu.glasskube.kubernetes.api.model.container
 import eu.glasskube.kubernetes.api.model.containerPort
@@ -149,7 +150,7 @@ class GlitchtipDeployment : CRUDKubernetesDependentResource<Deployment, Glitchti
                                 }
                             }
                             securityContext {
-//                                capabilities { drop = listOf("ALL") }
+                                capabilities { drop = listOf("ALL") }
                                 readOnlyRootFilesystem = true
                                 allowPrivilegeEscalation = false
                             }

operator/src/main/kotlin/eu/glasskube/operator/apps/glitchtip/dependent/GlitchtipWorkerDeployment.kt

@@ -6,6 +6,7 @@ import eu.glasskube.kubernetes.api.model.apps.spec
 import eu.glasskube.kubernetes.api.model.apps.strategyRecreate
 import eu.glasskube.kubernetes.api.model.apps.strategyRollingUpdate
 import eu.glasskube.kubernetes.api.model.apps.template
+import eu.glasskube.kubernetes.api.model.capabilities
 import eu.glasskube.kubernetes.api.model.configMapRef
 import eu.glasskube.kubernetes.api.model.container
 import eu.glasskube.kubernetes.api.model.emptyDir
@@ -23,7 +24,6 @@ import eu.glasskube.kubernetes.api.model.volume
 import eu.glasskube.kubernetes.api.model.volumeMount
 import eu.glasskube.kubernetes.api.model.volumeMounts
 import eu.glasskube.operator.Affinities
-import eu.glasskube.operator.apps.gitea.genericResourceName
 import eu.glasskube.operator.apps.glitchtip.Glitchtip
 import eu.glasskube.operator.apps.glitchtip.Glitchtip.Postgres.postgresSecretName
 import eu.glasskube.operator.apps.glitchtip.GlitchtipReconciler
@@ -33,7 +33,6 @@ import eu.glasskube.operator.apps.glitchtip.resourceLabelSelector
 import eu.glasskube.operator.apps.glitchtip.resourceLabels
 import eu.glasskube.operator.apps.glitchtip.secretName
 import eu.glasskube.operator.apps.glitchtip.workerName
-import eu.glasskube.operator.apps.nextcloud.resourceLabelSelector
 import io.fabric8.kubernetes.api.model.apps.Deployment
 import io.javaoperatorsdk.operator.api.reconciler.Context
 import io.javaoperatorsdk.operator.api.reconciler.ResourceIDMatcherDiscriminator
@@ -96,7 +95,7 @@ class GlitchtipWorkerDeployment : CRUDKubernetesDependentResource<Deployment, Gl
                                 }
                             }
                             securityContext {
-//                                capabilities { drop = listOf("ALL") }
+                                capabilities { drop = listOf("ALL") }
                                 readOnlyRootFilesystem = true
                                 allowPrivilegeEscalation = false
                             }