some ssecurity update (#1248)

https://streamnative.slack.com/archives/C0395H6FYE9/p1761266465891989?thread_ts=1760576774.500249&cid=C0395H6FYE9

- [x] Toolset needs to add liveness and readiness checks, runAsGroup
cannot be set to 0, secret volume should be 400 or 440
- [x] proxy statefulset runAsGroup cannot be set to 0, secret volume
should be 400 or 440

### Documentation

Check the box below.

Need to update docs? 

- [ ] `doc-required` 
  
  (If you need help on updating docs, create a doc issue)
  
- [x] `no-need-doc` 
  
  (Please explain why)
  
- [ ] `doc` 
  
  (If this PR contains doc changes)

---------

Signed-off-by: lili <lli@streamnative.io>

Author: urfreespace

charts/sn-platform-slim/templates/proxy/_proxy.tpl

@@ -48,11 +48,13 @@ Define proxy certs volumes
   secret:
   {{- if and .Values.certs.public_issuer.enabled (eq .Values.certs.public_issuer.type "acme") }}
     secretName: {{ .Values.certs.lets_encrypt.ca_ref.secretName }}
+    defaultMode: 0400
     items:
       - key: {{ .Values.certs.lets_encrypt.ca_ref.keyName }}
         path: ca.crt
   {{- else }}
     secretName: "{{ template "pulsar.tls.ca.secret.name" . }}"
+    defaultMode: 0400
     items:
       - key: ca.crt
         path: ca.crt
@@ -61,6 +63,7 @@ Define proxy certs volumes
 - name: proxy-certs
   secret:
     secretName: "{{ template "pulsar.proxy.tls.secret.name" . }}"
+    defaultMode: 0400
     items:
       - key: tls.crt
         path: tls.crt
@@ -71,6 +74,7 @@ Define proxy certs volumes
 - name: broker-ca
   secret:
     secretName: "{{ template "pulsar.tls.ca.secret.name" . }}"
+    defaultMode: 0400
     items:
       - key: ca.crt
         path: ca.crt

charts/sn-platform-slim/templates/toolset/_toolset.tpl

@@ -43,6 +43,7 @@ Define toolset token volumes
 - name: client-token
   secret:
     secretName: "{{ .Release.Name }}-token-{{ .Values.auth.superUsers.client }}"
+    defaultMode: 0400
     items:
       - key: TOKEN
         path: client/token
@@ -79,6 +80,7 @@ Define toolset tls certs volumes
 - name: toolset-certs
   secret:
     secretName: "{{ template "pulsar.toolset.tls.secret.name" . }}"
+    defaultMode: 0400
     items:
     - key: tls.crt
       path: tls.crt
@@ -87,6 +89,7 @@ Define toolset tls certs volumes
 - name: ca
   secret:
     secretName: "{{ template "pulsar.tls.ca.secret.name" . }}"
+    defaultMode: 0400
     items:
     - key: ca.crt
       path: ca.crt
@@ -97,11 +100,13 @@ Define toolset tls certs volumes
   secret:
   {{- if and .Values.certs.public_issuer.enabled (eq .Values.certs.public_issuer.type "acme") }}
     secretName: {{ .Values.certs.lets_encrypt.ca_ref.secretName }}
+    defaultMode: 0400
     items:
       - key: {{ .Values.certs.lets_encrypt.ca_ref.keyName }}
         path: ca.crt
   {{- else }}
     secretName: "{{ template "pulsar.tls.ca.secret.name" . }}"
+    defaultMode: 0400
     items:
       - key: ca.crt
         path: ca.crt

charts/sn-platform-slim/templates/toolset/toolset-statefulset.yaml

@@ -118,6 +118,26 @@ spec:
           bin/apply-config-from-env.py conf/bookkeeper.conf;
           {{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }}
           sleep 10000000000
+        livenessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - "ps aux | grep -v grep | grep sleep"
+          initialDelaySeconds: 10
+          periodSeconds: 30
+          timeoutSeconds: 5
+          failureThreshold: 3
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - "ps aux | grep -v grep | grep sleep"
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
         envFrom:
         - configMapRef:
             name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"

charts/sn-platform-slim/values.yaml

@@ -1669,6 +1669,9 @@ proxy:
   annotations: {}
   securityContext:
     runAsNonRoot: true
+    runAsUser: 10000
+    runAsGroup: 10000
+    fsGroup: 10000
   tolerations: []
   gracePeriod: 30
   resources:
@@ -1811,6 +1814,9 @@ toolset:
       -XX:MaxDirectMemorySize=128M
   securityContext:
     runAsNonRoot: true
+    runAsUser: 10000
+    runAsGroup: 10000
+    fsGroup: 10000
   serviceAccount:
     # Specifies whether to use a service account to run this component
     use: true

charts/sn-platform/templates/proxy/_proxy.tpl

@@ -48,11 +48,13 @@ Define proxy certs volumes
   secret:
   {{- if and .Values.certs.public_issuer.enabled (eq .Values.certs.public_issuer.type "acme") }}
     secretName: {{ .Values.certs.lets_encrypt.ca_ref.secretName }}
+    defaultMode: 0400
     items:
       - key: {{ .Values.certs.lets_encrypt.ca_ref.keyName }}
         path: ca.crt
   {{- else }}
     secretName: "{{ template "pulsar.tls.ca.secret.name" . }}"
+    defaultMode: 0400
     items:
       - key: ca.crt
         path: ca.crt
@@ -61,6 +63,7 @@ Define proxy certs volumes
 - name: proxy-certs
   secret:
     secretName: "{{ template "pulsar.proxy.tls.secret.name" . }}"
+    defaultMode: 0400
     items:
       - key: tls.crt
         path: tls.crt
@@ -71,6 +74,7 @@ Define proxy certs volumes
 - name: broker-ca
   secret:
     secretName: "{{ template "pulsar.tls.ca.secret.name" . }}"
+    defaultMode: 0400
     items:
       - key: ca.crt
         path: ca.crt

charts/sn-platform/templates/toolset/_toolset.tpl

@@ -58,6 +58,7 @@ Define toolset token volumes
 - name: client-token
   secret:
     secretName: "{{ .Release.Name }}-token-{{ .Values.auth.superUsers.client }}"
+    defaultMode: 0400
     items:
       - key: TOKEN
         path: client/token
@@ -99,6 +100,7 @@ Define toolset tls certs volumes
 - name: toolset-certs
   secret:
     secretName: "{{ template "pulsar.toolset.tls.secret.name" . }}"
+    defaultMode: 0400
     items:
     - key: tls.crt
       path: tls.crt
@@ -107,6 +109,7 @@ Define toolset tls certs volumes
 - name: ca
   secret:
     secretName: "{{ template "pulsar.tls.ca.secret.name" . }}"
+    defaultMode: 0400
     items:
     - key: ca.crt
       path: ca.crt
@@ -123,11 +126,13 @@ Define toolset tls certs volumes
   secret:
   {{- if and .Values.certs.public_issuer.enabled (eq .Values.certs.public_issuer.type "acme") }}
     secretName: {{ .Values.certs.lets_encrypt.ca_ref.secretName }}
+    defaultMode: 0400
     items:
       - key: {{ .Values.certs.lets_encrypt.ca_ref.keyName }}
         path: ca.crt
   {{- else }}
     secretName: "{{ template "pulsar.tls.ca.secret.name" . }}"
+    defaultMode: 0400
     items:
       - key: ca.crt
         path: ca.crt

charts/sn-platform/templates/toolset/toolset-statefulset.yaml

@@ -118,6 +118,26 @@ spec:
           bin/apply-config-from-env.py conf/bookkeeper.conf;
           {{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }}
           sleep 10000000000
+        livenessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - "ps aux | grep -v grep | grep sleep"
+          initialDelaySeconds: 10
+          periodSeconds: 30
+          timeoutSeconds: 5
+          failureThreshold: 3
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - "ps aux | grep -v grep | grep sleep"
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
         envFrom:
         - configMapRef:
             name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
@@ -162,6 +182,26 @@ spec:
           {{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }}
           {{- include "pulsar.toolset.kafka.settings" . | nindent 10 }}
           sleep 10000000000
+        livenessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - "ps aux | grep -v grep | grep sleep"
+          initialDelaySeconds: 10
+          periodSeconds: 30
+          timeoutSeconds: 5
+          failureThreshold: 3
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - "ps aux | grep -v grep | grep sleep"
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
         envFrom:
         - configMapRef:
             name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"

charts/sn-platform/values.yaml

@@ -1745,6 +1745,9 @@ proxy:
   annotations: {}
   securityContext:
     runAsNonRoot: true
+    runAsUser: 10000
+    runAsGroup: 10000
+    fsGroup: 10000
   tolerations: []
   gracePeriod: 30
   resources:
@@ -1891,6 +1894,9 @@ toolset:
       -XX:MaxDirectMemorySize=128M
   securityContext:
     runAsNonRoot: true
+    runAsUser: 10000
+    runAsGroup: 10000
+    fsGroup: 10000
   serviceAccount:
     # Specifies whether to use a service account to run this component
     use: true