From 135cb6fc693caa0bd26b6ea630bc0d552655a33e Mon Sep 17 00:00:00 2001
From: Enol Fernandez <enol.fernandez@egi.eu>
Date: Wed, 26 Feb 2025 12:01:15 +0000
Subject: [PATCH 1/6] Set some headers as recommended by Pentesting
---
common/playbooks/k8s.yaml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/common/playbooks/k8s.yaml b/common/playbooks/k8s.yaml
index 2a0ce76..d00bacf 100644
--- a/common/playbooks/k8s.yaml
+++ b/common/playbooks/k8s.yaml
@@ -359,6 +359,12 @@
--set controller.service.externalIPs={{ '{' + hostvars[groups['ingress'][0]].ansible_default_ipv4.address + '}' }}
--set controller.config.proxy-body-size=0
--set controller.allowSnippetAnnotations=false
+ --set controller.addHeaders.X-Content-Type-Options=nosniff
+ --set controller.addHeaders.Referrer-Policy=no-referrer
+ --set controller.addHeaders.Permissions-Policy="geolocation=()"
+ --set controller.addHeaders.="geolocation=()"
+ --set controller.addHeaders.Content-Security-Policy="frame-ancestors 'none'"
+ https://*.d4science.org 'self'"
--version={{ version }}
shell: |-
helm status --namespace kube-system cluster-ingress
--
GitLab
From ca3e12995cfb464249abbf052a17db8d32a9478f Mon Sep 17 00:00:00 2001
From: Enol Fernandez <enol.fernandez@egi.eu>
Date: Wed, 26 Feb 2025 14:05:03 +0000
Subject: [PATCH 2/6] Remove spurious line
---
common/playbooks/k8s.yaml | 1 -
1 file changed, 1 deletion(-)
diff --git a/common/playbooks/k8s.yaml b/common/playbooks/k8s.yaml
index d00bacf..53586a0 100644
--- a/common/playbooks/k8s.yaml
+++ b/common/playbooks/k8s.yaml
@@ -364,7 +364,6 @@
--set controller.addHeaders.Permissions-Policy="geolocation=()"
--set controller.addHeaders.="geolocation=()"
--set controller.addHeaders.Content-Security-Policy="frame-ancestors 'none'"
- https://*.d4science.org 'self'"
--version={{ version }}
shell: |-
helm status --namespace kube-system cluster-ingress
--
GitLab
From 19575e32d003b2ca7ca1f965902145cad95eef41 Mon Sep 17 00:00:00 2001
From: Enol Fernandez <enol.fernandez@egi.eu>
Date: Wed, 26 Feb 2025 14:49:00 +0000
Subject: [PATCH 3/6] Remove another spurious line
---
common/playbooks/k8s.yaml | 1 -
1 file changed, 1 deletion(-)
diff --git a/common/playbooks/k8s.yaml b/common/playbooks/k8s.yaml
index 53586a0..f65da34 100644
--- a/common/playbooks/k8s.yaml
+++ b/common/playbooks/k8s.yaml
@@ -362,7 +362,6 @@
--set controller.addHeaders.X-Content-Type-Options=nosniff
--set controller.addHeaders.Referrer-Policy=no-referrer
--set controller.addHeaders.Permissions-Policy="geolocation=()"
- --set controller.addHeaders.="geolocation=()"
--set controller.addHeaders.Content-Security-Policy="frame-ancestors 'none'"
--version={{ version }}
shell: |-
--
GitLab
From 0a2ddbb8873cf52e2a6458a5c8b9e5e655eee607 Mon Sep 17 00:00:00 2001
From: Enol Fernandez <enol.fernandez@egi.eu>
Date: Wed, 26 Feb 2025 14:53:22 +0000
Subject: [PATCH 4/6] Also add report-uri and default-src
---
common/playbooks/k8s.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/playbooks/k8s.yaml b/common/playbooks/k8s.yaml
index f65da34..395faf1 100644
--- a/common/playbooks/k8s.yaml
+++ b/common/playbooks/k8s.yaml
@@ -362,7 +362,7 @@
--set controller.addHeaders.X-Content-Type-Options=nosniff
--set controller.addHeaders.Referrer-Policy=no-referrer
--set controller.addHeaders.Permissions-Policy="geolocation=()"
- --set controller.addHeaders.Content-Security-Policy="frame-ancestors 'none'"
+ --set controller.addHeaders.Content-Security-Policy="frame-ancestors 'none'; report-uri /hub/security/csp-report; default-src 'self'"
--version={{ version }}
shell: |-
helm status --namespace kube-system cluster-ingress
--
GitLab
From 3d50910595e73a55bf291394559be7e9b563c25c Mon Sep 17 00:00:00 2001
From: Enol Fernandez <enol.fernandez@egi.eu>
Date: Thu, 27 Feb 2025 12:20:48 +0000
Subject: [PATCH 5/6] Hide hub version
---
common/playbooks/k8s.yaml | 1 +
1 file changed, 1 insertion(+)
diff --git a/common/playbooks/k8s.yaml b/common/playbooks/k8s.yaml
index 395faf1..b719e41 100644
--- a/common/playbooks/k8s.yaml
+++ b/common/playbooks/k8s.yaml
@@ -358,6 +358,7 @@
--set controller.service.type=NodePort
--set controller.service.externalIPs={{ '{' + hostvars[groups['ingress'][0]].ansible_default_ipv4.address + '}' }}
--set controller.config.proxy-body-size=0
+ --set controller.config.hide_headers='x-jupyterhub-version'
--set controller.allowSnippetAnnotations=false
--set controller.addHeaders.X-Content-Type-Options=nosniff
--set controller.addHeaders.Referrer-Policy=no-referrer
--
GitLab
From 823627b4a3d651690a167e0d53b731d751e5cedf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jarom=C3=ADr=20Hradil?= <jaromir.hradil@cesnet.cz>
Date: Fri, 28 Feb 2025 13:53:30 +0100
Subject: [PATCH 6/6] Fixing character in config setting
---
common/playbooks/k8s.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/playbooks/k8s.yaml b/common/playbooks/k8s.yaml
index b719e41..058919e 100644
--- a/common/playbooks/k8s.yaml
+++ b/common/playbooks/k8s.yaml
@@ -358,7 +358,7 @@
--set controller.service.type=NodePort
--set controller.service.externalIPs={{ '{' + hostvars[groups['ingress'][0]].ansible_default_ipv4.address + '}' }}
--set controller.config.proxy-body-size=0
- --set controller.config.hide_headers='x-jupyterhub-version'
+ --set controller.config.hide-headers='x-jupyterhub-version'
--set controller.allowSnippetAnnotations=false
--set controller.addHeaders.X-Content-Type-Options=nosniff
--set controller.addHeaders.Referrer-Policy=no-referrer
--
GitLab