Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-16 06:47:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/sealed-secrets] feat: 🔒 Add runAsGroup (#23992)

Browse Source 
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-03-06 09:52:09 +01:00
committed by GitHub
parent bdf0d79f3a
commit 10744a3cd1
4 changed files with 8 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/sealed-secrets/Chart.yaml
View File

@@ -29,4 +29,4 @@ name: sealed-secrets
sources: sources:
- https://github.com/bitnami/charts/tree/main/bitnami/sealed-secrets - https://github.com/bitnami/charts/tree/main/bitnami/sealed-secrets
- https://github.com/bitnami-labs/sealed-secrets - https://github.com/bitnami-labs/sealed-secrets
version: 1.10.2 version: 1.11.0

2
bitnami/sealed-secrets/README.md
View File

@@ -128,7 +128,6 @@ The command removes all the Kubernetes components associated with the chart and
| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | | `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `podSecurityContext.fsGroup` | Set Sealed Secret pod's Security Context fsGroup | `1001` | | `podSecurityContext.fsGroup` | Set Sealed Secret pod's Security Context fsGroup | `1001` |
| `podSecurityContext.seccompProfile.type` | Set Sealed Secret pod's Security Context seccompProfile type | `RuntimeDefault` |
| `containerSecurityContext.enabled` | Enabled Sealed Secret containers' Security Context | `true` | | `containerSecurityContext.enabled` | Enabled Sealed Secret containers' Security Context | `true` |
| `containerSecurityContext.allowPrivilegeEscalation` | Whether the Sealed Secret container can escalate privileges | `false` | | `containerSecurityContext.allowPrivilegeEscalation` | Whether the Sealed Secret container can escalate privileges | `false` |
| `containerSecurityContext.capabilities.drop` | Which privileges to drop in the Sealed Secret container | `["ALL"]` | | `containerSecurityContext.capabilities.drop` | Which privileges to drop in the Sealed Secret container | `["ALL"]` |
@@ -136,6 +135,7 @@ The command removes all the Kubernetes components associated with the chart and
| `containerSecurityContext.runAsNonRoot` | Indicates that the Sealed Secret container must run as a non-root user | `true` | | `containerSecurityContext.runAsNonRoot` | Indicates that the Sealed Secret container must run as a non-root user | `true` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `containerSecurityContext.runAsUser` | Set Sealed Secret containers' Security Context runAsUser | `1001` | | `containerSecurityContext.runAsUser` | Set Sealed Secret containers' Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsGroup` | Set Sealed Secret containers' Security Context runAsGroup | `1001` |
| `containerSecurityContext.seccompProfile.type` | Set Sealed Secret container's Security Context seccompProfile type | `RuntimeDefault` | | `containerSecurityContext.seccompProfile.type` | Set Sealed Secret container's Security Context seccompProfile type | `RuntimeDefault` |
| `automountServiceAccountToken` | Mount Service Account token in pod | `true` | | `automountServiceAccountToken` | Mount Service Account token in pod | `true` |
| `hostAliases` | Sealed Secret pods host aliases | `[]` | | `hostAliases` | Sealed Secret pods host aliases | `[]` |

5
bitnami/sealed-secrets/templates/deployment.yaml
View File

@@ -190,8 +190,9 @@ spec:
port: http port: http
{{- end }} {{- end }}
volumeMounts: volumeMounts:
- name: tmp - name: empty-dir
mountPath: /tmp mountPath: /tmp
subPath: tmp-dir
{{- if .Values.extraVolumeMounts }} {{- if .Values.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }} {{- end }}
@@ -199,7 +200,7 @@ spec:
{{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }}
{{- end }} {{- end }}
volumes: volumes:
- name: tmp - name: empty-dir
emptyDir: {} emptyDir: {}
{{- if .Values.extraVolumes }} {{- if .Values.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}

8
bitnami/sealed-secrets/values.yaml
View File

@@ -209,7 +209,6 @@ customStartupProbe: {}
## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface ## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param podSecurityContext.supplementalGroups Set filesystem extra groups ## @param podSecurityContext.supplementalGroups Set filesystem extra groups
## @param podSecurityContext.fsGroup Set Sealed Secret pod's Security Context fsGroup ## @param podSecurityContext.fsGroup Set Sealed Secret pod's Security Context fsGroup
## @param podSecurityContext.seccompProfile.type Set Sealed Secret pod's Security Context seccompProfile type
## ##
podSecurityContext: podSecurityContext:
enabled: true enabled: true
@@ -217,8 +216,6 @@ podSecurityContext:
sysctls: [] sysctls: []
supplementalGroups: [] supplementalGroups: []
fsGroup: 1001 fsGroup: 1001
seccompProfile:
type: RuntimeDefault
## Configure Container Security Context ## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param containerSecurityContext.enabled Enabled Sealed Secret containers' Security Context ## @param containerSecurityContext.enabled Enabled Sealed Secret containers' Security Context
@@ -228,18 +225,19 @@ podSecurityContext:
## @param containerSecurityContext.runAsNonRoot Indicates that the Sealed Secret container must run as a non-root user ## @param containerSecurityContext.runAsNonRoot Indicates that the Sealed Secret container must run as a non-root user
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param containerSecurityContext.runAsUser Set Sealed Secret containers' Security Context runAsUser ## @param containerSecurityContext.runAsUser Set Sealed Secret containers' Security Context runAsUser
## @param containerSecurityContext.runAsGroup Set Sealed Secret containers' Security Context runAsGroup
## @param containerSecurityContext.seccompProfile.type Set Sealed Secret container's Security Context seccompProfile type ## @param containerSecurityContext.seccompProfile.type Set Sealed Secret container's Security Context seccompProfile type
## ##
containerSecurityContext: containerSecurityContext:
enabled: true enabled: true
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
drop: drop: ["ALL"]
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsNonRoot: true runAsNonRoot: true
seLinuxOptions: null seLinuxOptions: null
runAsUser: 1001 runAsUser: 1001
runAsGroup: 1001
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
## @param automountServiceAccountToken Mount Service Account token in pod ## @param automountServiceAccountToken Mount Service Account token in pod