Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-09 15:38:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/influxdb] Added PSP for volume permissions in hardened cluster (#8124)

Browse Source 
* feat: added rbac and psp for volume permissions

* chore: bump up chart and app version

* fix: removed comment

* chore: update README.md

* Update bitnami/influxdb/Chart.yaml

Co-authored-by: Alejandro Moreno <alemorcuq@gmail.com>

* Update bitnami/influxdb/values.yaml

Co-authored-by: Alejandro Moreno <alemorcuq@gmail.com>

* Update bitnami/influxdb/values.yaml

Co-authored-by: Alejandro Moreno <alemorcuq@gmail.com>

* Update Chart.yaml

Co-authored-by: Alejandro Moreno <alemorcuq@gmail.com>
This commit is contained in:
Abhimanyu Saharan
2021-11-16 01:51:54 -08:00
committed by GitHub
parent a9a4154cf9
commit 03d1297fd4
9 changed files with 151 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/influxdb/Chart.yaml
View File

@@ -24,4 +24,4 @@ name: influxdb
sources:
- https://github.com/bitnami/bitnami-docker-influxdb
- https://www.influxdata.com/products/influxdb-overview/
version: 2.3.18
version: 2.4.0

48
bitnami/influxdb/README.md
View File

@@ -238,28 +238,32 @@ The command removes all the Kubernetes components associated with the chart and
### Metrics parameters
| Name | Description | Value |
| ------------------------------------------ | ------------------------------------------------------------------------------------------------------ | ------------------- |
| `metrics.enabled` | Enable the export of Prometheus metrics | `false` |
| `metrics.service.type` | Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) | `ClusterIP` |
| `metrics.service.port` | InfluxDB&trade; Prometheus port | `9122` |
| `metrics.service.nodePort` | Kubernetes HTTP node port | `""` |
| `metrics.service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `""` |
| `metrics.service.loadBalancerSourceRanges` | Address that are allowed when service is LoadBalancer | `[]` |
| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` |
| `metrics.service.annotations` | Annotations for the Prometheus metrics service | `{}` |
| `metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) | `false` |
| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` |
| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` |
| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` |
| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` |
| `networkPolicy.enabled` | Enable NetworkPolicy | `false` |
| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
| `persistence.enabled` | Enable data persistence | `true` |
| `persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` |
| `persistence.storageClass` | Specify the `storageClass` used to provision the volume | `""` |
| `persistence.accessModes` | Access mode of data volume | `["ReadWriteOnce"]` |
| `persistence.size` | Size of data volume | `8Gi` |
| Name | Description | Value |
| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- |
| `metrics.enabled` | Enable the export of Prometheus metrics | `false` |
| `metrics.service.type` | Kubernetes service type (`ClusterIP`, `NodePort` or `LoadBalancer`) | `ClusterIP` |
| `metrics.service.port` | InfluxDB&trade; Prometheus port | `9122` |
| `metrics.service.nodePort` | Kubernetes HTTP node port | `""` |
| `metrics.service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `""` |
| `metrics.service.loadBalancerSourceRanges` | Address that are allowed when service is LoadBalancer | `[]` |
| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` |
| `metrics.service.annotations` | Annotations for the Prometheus metrics service | `{}` |
| `metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) | `false` |
| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` |
| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` |
| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` |
| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` |
| `networkPolicy.enabled` | Enable NetworkPolicy | `false` |
| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
| `persistence.enabled` | Enable data persistence | `true` |
| `persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` |
| `persistence.storageClass` | Specify the `storageClass` used to provision the volume | `""` |
| `persistence.accessModes` | Access mode of data volume | `["ReadWriteOnce"]` |
| `persistence.size` | Size of data volume | `8Gi` |
| `serviceAccount.enabled` | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) | `false` |
| `serviceAccount.name` | Name of an already existing service account. Setting this value disables the automatic service account creation | `""` |
| `psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` |
### Volume permissions parameters

3
bitnami/influxdb/templates/influxdb/deployment-standalone.yaml
View File

@@ -52,6 +52,9 @@ spec:
fsGroup: {{ .Values.influxdb.securityContext.fsGroup }}
{{- end }}
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
{{- if .Values.serviceAccount.enabled }}
serviceAccountName: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name}}
{{- end }}
initContainers:
- name: init-chmod-data
image: {{ include "influxdb.volumePermissions.image" . }}

3
bitnami/influxdb/templates/influxdb/statefulset-high-availability.yaml
View File

@@ -51,6 +51,9 @@ spec:
fsGroup: {{ .Values.influxdb.securityContext.fsGroup }}
{{- end }}
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
{{- if .Values.serviceAccount.enabled }}
serviceAccountName: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name}}
{{- end }}
initContainers:
- name: init-chmod-data
image: {{ include "influxdb.volumePermissions.image" . }}

41
bitnami/influxdb/templates/podsecuritypolicy.yaml Normal file
View File

@@ -0,0 +1,41 @@
{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}}
{{- if and $pspAvailable .Values.psp.create }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "common.names.fullname" . }}
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
namespace: {{ .Release.Namespace }}
spec:
privileged: false
allowedCapabilities:
- CHOWN
volumes:
- 'configMap'
- 'secret'
- 'persistentVolumeClaim'
- 'emptyDir'
- 'projected'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}

21
bitnami/influxdb/templates/role.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if .Values.rbac.create }}
kind: Role
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
metadata:
name: {{ template "common.names.fullname" . }}
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
namespace: {{ .Release.Namespace }}
rules:
{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}}
{{- if and $pspAvailable .Values.psp.create }}
- apiGroups: ["extensions"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
resourceNames:
- {{ template "common.names.fullname" . }}
{{- end }}
{{- end }}

20
bitnami/influxdb/templates/rolebinding.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if .Values.rbac.create }}
kind: RoleBinding
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
metadata:
name: {{ template "common.names.fullname" . }}
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: {{ template "common.names.fullname" . }}
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
{{- end }}

11
bitnami/influxdb/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,11 @@
{{- if and (.Values.serviceAccount.enabled) (not .Values.serviceAccount.name) }}
apiVersion: v1
kind: ServiceAccount
metadata:
labels: {{- include "common.labels.standard" . | nindent 4 }}
name: {{ include "common.names.fullname" . }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

25
bitnami/influxdb/values.yaml
View File

@@ -811,6 +811,31 @@ persistence:
##
size: 8Gi
## Pod Service Account
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
##
serviceAccount:
## @param serviceAccount.enabled Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set)
##
enabled: false
## @param serviceAccount.name Name of an already existing service account. Setting this value disables the automatic service account creation
##
name: ""
## Pod Security Policy
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later
##
psp:
create: false
## Role Based Access
## Ref: https://kubernetes.io/docs/admin/authorization/rbac/
## @param rbac.create Create Role and RoleBinding (required for PSP to work)
##
rbac:
create: false
## @section Volume permissions parameters
## Init Container parameters