Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-16 06:47:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/kiam] feat!: 🔒 💥 Improve security defaults (#24343)

Browse Source 
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-03-12 11:25:39 +01:00
committed by GitHub
parent af1588ed53
commit 03396c6155
4 changed files with 36 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
bitnami/kiam/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.18.0
digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280
generated: "2024-03-05T14:20:47.553557386+01:00"
version: 2.19.0
digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc
generated: "2024-03-11T16:22:08.111313307+01:00"

2
bitnami/kiam/Chart.yaml
View File

@@ -28,4 +28,4 @@ maintainers:
name: kiam
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/kiam
version: 1.11.1
version: 2.0.0

37
bitnami/kiam/README.md
View File

@@ -60,12 +60,12 @@ The command removes all the Kubernetes components associated with the chart and
### Global parameters
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
### Common parameters
@@ -143,15 +143,15 @@ The command removes all the Kubernetes components associated with the chart and
| `server.assumeRoleArn` | IAM role for the server to assume | `""` |
| `server.sessionDuration` | Session duration for STS tokens | `15m` |
| `server.tlsCerts` | Agent TLS Certificate filenames | `{}` |
| `server.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if server.resources is set (server.resources is recommended for production). | `none` |
| `server.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if server.resources is set (server.resources is recommended for production). | `nano` |
| `server.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `server.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `server.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `server.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `server.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `server.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `server.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `server.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `false` |
| `server.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `server.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
| `server.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
| `server.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `server.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `server.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
@@ -286,15 +286,15 @@ The command removes all the Kubernetes components associated with the chart and
| `agent.gatewayTimeoutCreation` | Timeout when creating the kiam gateway | `1s` |
| `agent.command` | Override kiam default command | `[]` |
| `agent.args` | Override kiam default args | `[]` |
| `agent.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.resources is recommended for production). | `none` |
| `agent.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.resources is recommended for production). | `nano` |
| `agent.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `agent.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `agent.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `agent.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `agent.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `0` |
| `agent.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `agent.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `false` |
| `agent.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `agent.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
| `agent.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
| `agent.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `agent.containerSecurityContext.capabilities.add` | List of capabilities to be added | `["NET_ADMIN"]` |
| `agent.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
@@ -516,6 +516,17 @@ Find more information about how to deal with common errors related to Bitnami's
## Upgrading
### To 2.0.0
This major bump changes the following security defaults:
- `runAsGroup` is changed from `0` to `1001`
- `readOnlyRootFilesystem` is set to `true`
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
### To 1.0.0
Kiam version was updated from `3.6.0` to `4.0.0`, there are no relevant changes in the chart itself. According to the official documentation, this new major introduces the following breaking changes at application level:

16
bitnami/kiam/values.yaml
View File

@@ -26,7 +26,7 @@ global:
openshift:
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
##
adaptSecurityContext: disabled
adaptSecurityContext: auto
## @section Common parameters
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
@@ -252,7 +252,7 @@ server:
## @param server.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if server.resources is set (server.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param server.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -279,12 +279,12 @@ server:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 0
runAsGroup: 1001
runAsNonRoot: false
privileged: false
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
@@ -750,7 +750,7 @@ agent:
## @param agent.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if agent.resources is set (agent.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param agent.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -778,12 +778,12 @@ agent:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
privileged: false
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
add: ["NET_ADMIN"]