[bitnami/nats] feat: 🔒 Add readOnlyRootFilesystem support (#23613)

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-02-20 16:32:24 +01:00
committed by GitHub
parent 7ab0f6a2bc
commit 0bbd7a8ff6
5 changed files with 37 additions and 2 deletions

View File

@@ -31,4 +31,4 @@ maintainers:
name: nats
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/nats
version: 7.15.0
version: 7.16.0

View File

@@ -135,6 +135,7 @@ The command removes all the Kubernetes components associated with the chart and
| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |

View File

@@ -144,6 +144,14 @@ spec:
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: tmp-dir
mountPath: /tmp
- name: app-conf-dir
mountPath: /opt/bitnami/nats/conf
- name: app-tmp-dir
mountPath: /opt/bitnami/nats/tmp
- name: app-logs-dir
mountPath: /opt/bitnami/nats/logs
- name: config
mountPath: /bitnami/nats/conf/{{ .Values.natsFilename }}.conf
subPath: {{ .Values.natsFilename }}.conf
@@ -188,6 +196,14 @@ spec:
{{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: app-conf-dir
emptyDir: {}
- name: app-tmp-dir
emptyDir: {}
- name: app-logs-dir
emptyDir: {}
- name: tmp-dir
emptyDir: {}
- name: config
secret:
secretName: {{ include "nats.secretName" . }}

View File

@@ -149,6 +149,14 @@ spec:
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: tmp-dir
mountPath: /tmp
- name: app-conf-dir
mountPath: /opt/bitnami/nats/conf
- name: app-tmp-dir
mountPath: /opt/bitnami/nats/tmp
- name: app-logs-dir
mountPath: /opt/bitnami/nats/logs
- name: config
mountPath: /bitnami/nats/conf/{{ .Values.natsFilename }}.conf
subPath: {{ .Values.natsFilename }}.conf
@@ -197,6 +205,14 @@ spec:
{{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: app-conf-dir
emptyDir: {}
- name: app-tmp-dir
emptyDir: {}
- name: app-logs-dir
emptyDir: {}
- name: tmp-dir
emptyDir: {}
- name: config
secret:
secretName: {{ include "nats.secretName" . }}

View File

@@ -65,7 +65,7 @@ diagnosticMode:
image:
registry: docker.io
repository: bitnami/nats
tag: 2.10.10-debian-11-r2
tag: 2.10.11-debian-12-r1
digest: ""
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
@@ -336,6 +336,7 @@ podSecurityContext:
## @param containerSecurityContext.enabled Enabled containers' Security Context
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param containerSecurityContext.privileged Set container's Security Context privileged
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -347,6 +348,7 @@ containerSecurityContext:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false