yuvipanda/values.yaml

## values.yaml
jupyterhub:
  prePuller:
    continuous:
      enabled: false
  scheduling:
    userScheduler:
      enabled: false
  hub:
    networkPolicy:
      enabled: true
    extraConfig:
      01-no-escalation: |
        c.KubeSpawner.extra_container_config = {
          'securityContext': {
            # Force container to run as uid 0, regardless of what the image wants
            # Already set to be default
            'runAsUser': 1000,
            # No privilege escalation whatsoever, protects against setuid attacks
            # (like bugs in 'sudo')
            # This isn't the default but should be if runAsUser != 0
            'allowPrivilegeEscalation': False,
            # Make sure that 'root' inside container isn't really 'root' outside
            # container since most of the linux privileges it has are dropped.
            # This is already the default
            'privileged': False,
          }
        }

  proxy:
    networkPolicy:
      enabled: true

  singleuser:
    initContainers:
      - name: volume-mount-hack
        image: busybox
        command: ["sh", "-c", "id && chown 1000:1000 /home/jovyan && ls -lhd /home/jovyan"]
        securityContext:
          runAsUser: 0
          capabilities:
            add:
              - FOWNER
        volumeMounts:
        - name: home
          mountPath: /home/jovyan
          subPath: "_secureish-home/{username}"
    storage:
      type: static
      static:
        pvcName: home-nfs
        subPath: "_securish-home/{username}"

    profileList:
      - display_name: PANGEO base image
        description: "Use the PANGEO base image"
        kubespawner_override:
          image: pangeo/pangeo-notebook:2019.08.08
      - display_name: Simple Python3 Image
        description: "Python3 and not much RAM"
        default: True
    # Extra denial of access to the kubernetes API, by explicitly unsetting service accounts
    # Is set to this by default
    serviceAccountName: null
    # Disable access to cloud metadata service, which can leak cloud credentials &
    # other metadata. Is set to this by default.
    cloudMetadata:
      enabled: false

    networkPolicy:
      # Whitelist DNS, HTTP & HTTPS as only outbound allowable protocols
      # This protects against many possible attacks, including nfsspy
      enabled: true
      egress:
        - ports:
            - port: 53
              protocol: UDP
        - ports:
            - port: 80
              protocol: TCP
        - ports:
            - port: 443
              protocol: TCP

falco:
  customRules:
    rules-http-call: |
      - macro: container
        condition: container.id != host

      - macro: outbound
        condition: evt.type=connect and evt.dir=< and (fd.typechar=4 or fd.typechar=6)

      - macro: http_port
        condition: fd.sport=80

      - rule: http_request_made
        desc: Outbound request that was http
        condition: container and outbound and http_port
        output: "A HTTP request was made, should be HTTPS instead"
        priority: WARNING
	jupyterhub:
	prePuller:
	continuous:
	enabled: false
	scheduling:
	userScheduler:
	enabled: false
	hub:
	networkPolicy:
	enabled: true
	extraConfig:
	01-no-escalation: \|
	c.KubeSpawner.extra_container_config = {
	'securityContext': {
	# Force container to run as uid 0, regardless of what the image wants
	# Already set to be default
	'runAsUser': 1000,
	# No privilege escalation whatsoever, protects against setuid attacks
	# (like bugs in 'sudo')
	# This isn't the default but should be if runAsUser != 0
	'allowPrivilegeEscalation': False,
	# Make sure that 'root' inside container isn't really 'root' outside
	# container since most of the linux privileges it has are dropped.
	# This is already the default
	'privileged': False,
	}
	}

	proxy:
	networkPolicy:
	enabled: true

	singleuser:
	initContainers:
	- name: volume-mount-hack
	image: busybox
	command: ["sh", "-c", "id && chown 1000:1000 /home/jovyan && ls -lhd /home/jovyan"]
	securityContext:
	runAsUser: 0
	capabilities:
	add:
	- FOWNER
	volumeMounts:
	- name: home
	mountPath: /home/jovyan
	subPath: "_secureish-home/{username}"
	storage:
	type: static
	static:
	pvcName: home-nfs
	subPath: "_securish-home/{username}"

	profileList:
	- display_name: PANGEO base image
	description: "Use the PANGEO base image"
	kubespawner_override:
	image: pangeo/pangeo-notebook:2019.08.08
	- display_name: Simple Python3 Image
	description: "Python3 and not much RAM"
	default: True
	# Extra denial of access to the kubernetes API, by explicitly unsetting service accounts
	# Is set to this by default
	serviceAccountName: null
	# Disable access to cloud metadata service, which can leak cloud credentials &
	# other metadata. Is set to this by default.
	cloudMetadata:
	enabled: false

	networkPolicy:
	# Whitelist DNS, HTTP & HTTPS as only outbound allowable protocols
	# This protects against many possible attacks, including nfsspy
	enabled: true
	egress:
	- ports:
	- port: 53
	protocol: UDP
	- ports:
	- port: 80
	protocol: TCP
	- ports:
	- port: 443
	protocol: TCP

	falco:
	customRules:
	rules-http-call: \|
	- macro: container
	condition: container.id != host

	- macro: outbound
	condition: evt.type=connect and evt.dir=< and (fd.typechar=4 or fd.typechar=6)

	- macro: http_port
	condition: fd.sport=80

	- rule: http_request_made
	desc: Outbound request that was http
	condition: container and outbound and http_port
	output: "A HTTP request was made, should be HTTPS instead"
	priority: WARNING