Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-08 00:37:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/metrics-server] feat: Add support for PSA restricted policy (#20485)

Browse Source 
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2023-11-06 14:14:43 +01:00
committed by GitHub
parent 357e7e5189
commit 10b7f1fe2b
3 changed files with 110 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/metrics-server/Chart.yaml
View File

@@ -28,4 +28,4 @@ maintainers:
name: metrics-server
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/metrics-server
version: 6.5.5
version: 6.6.0

184
bitnami/metrics-server/README.md
View File

@@ -79,96 +79,100 @@ The command removes all the Kubernetes components associated with the chart and
### Metrics Server parameters
| Name | Description | Value |
| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------- |
| `image.registry` | Metrics Server image registry | `REGISTRY_NAME` |
| `image.repository` | Metrics Server image repository | `REPOSITORY_NAME/metrics-server` |
| `image.digest` | Metrics Server image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `image.pullPolicy` | Metrics Server image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Metrics Server image pull secrets | `[]` |
| `hostAliases` | Add deployment host aliases | `[]` |
| `replicas` | Number of metrics-server nodes to deploy | `1` |
| `updateStrategy.type` | Set up update strategy for metrics-server installation. | `RollingUpdate` |
| `rbac.create` | Enable RBAC authentication | `true` |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `serviceAccount.name` | The name of the ServiceAccount to create | `""` |
| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account | `true` |
| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` |
| `apiService.create` | Specifies whether the v1beta1.metrics.k8s.io API service should be created. You can check if it is needed with `kubectl get --raw "/apis/metrics.k8s.io/v1beta1/nodes"`. | `false` |
| `apiService.insecureSkipTLSVerify` | Specifies whether to skip self-verifying self-signed TLS certificates. Set to "false" if you are providing your own certificates. | `true` |
| `apiService.caBundle` | A base64-encoded string of concatenated certificates for the CA chain for the APIService. | `""` |
| `containerPorts.https` | Port where metrics-server will be running | `8443` |
| `hostNetwork` | Enable hostNetwork mode | `false` |
| `dnsPolicy` | Default dnsPolicy setting | `ClusterFirst` |
| `command` | Override default container command (useful when using custom images) | `[]` |
| `args` | Override default container args (useful when using custom images) | `[]` |
| `lifecycleHooks` | for the metrics-server container(s) to automate configuration before or after startup | `{}` |
| `extraEnvVars` | Array with extra environment variables to add to metrics-server nodes | `[]` |
| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for metrics-server nodes | `""` |
| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars for metrics-server nodes | `""` |
| `extraArgs` | Extra arguments to pass to metrics-server on start up | `[]` |
| `sidecars` | Add additional sidecar containers to the metrics-server pod(s) | `[]` |
| `initContainers` | Add additional init containers to the metrics-server pod(s) | `[]` |
| `podLabels` | Pod labels | `{}` |
| `podAnnotations` | Pod annotations | `{}` |
| `priorityClassName` | Priority class for pod scheduling | `""` |
| `schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `terminationGracePeriodSeconds` | In seconds, time the given to the metrics-server pod needs to terminate gracefully | `""` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `pdb.create` | Create a PodDisruptionBudget | `false` |
| `pdb.minAvailable` | Minimum available instances | `""` |
| `pdb.maxUnavailable` | Maximum unavailable instances | `""` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set. | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` |
| `affinity` | Affinity for pod assignment | `{}` |
| `topologySpreadConstraints` | Topology spread constraints for pod | `[]` |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `tolerations` | Tolerations for pod assignment | `[]` |
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.ports.https` | Kubernetes Service port | `443` |
| `service.nodePorts.https` | Kubernetes Service port | `""` |
| `service.clusterIP` | metrics-server service Cluster IP | `""` |
| `service.loadBalancerIP` | LoadBalancer IP if Service type is `LoadBalancer` | `""` |
| `service.loadBalancerSourceRanges` | metrics-server service Load Balancer sources | `[]` |
| `service.externalTrafficPolicy` | metrics-server service external traffic policy | `Cluster` |
| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
| `service.annotations` | Annotations for the Service | `{}` |
| `service.labels` | Labels for the Service | `{}` |
| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `resources.limits` | The resources limits for the container | `{}` |
| `resources.requests` | The requested resources for the container | `{}` |
| `startupProbe.enabled` | Enable startupProbe | `false` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` |
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `0` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `customStartupProbe` | Custom liveness probe for the Web component | `{}` |
| `customLivenessProbe` | Custom Liveness probes for metrics-server | `{}` |
| `customReadinessProbe` | Custom Readiness probes metrics-server | `{}` |
| `containerSecurityContext.enabled` | Enable Container security context | `true` |
| `containerSecurityContext.readOnlyRootFilesystem` | ReadOnlyRootFilesystem for the container | `false` |
| `containerSecurityContext.runAsNonRoot` | Run containers as non-root users | `true` |
| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `podSecurityContext.enabled` | Pod security context | `false` |
| `podSecurityContext.fsGroup` | Set %%MAIN_CONTAINER_NAME%% pod's Security Context fsGroup | `1001` |
| `extraVolumes` | Extra volumes | `[]` |
| `extraVolumeMounts` | Mount extra volume(s) | `[]` |
| Name | Description | Value |
| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------- |
| `image.registry` | Metrics Server image registry | `REGISTRY_NAME` |
| `image.repository` | Metrics Server image repository | `REPOSITORY_NAME/metrics-server` |
| `image.digest` | Metrics Server image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `image.pullPolicy` | Metrics Server image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Metrics Server image pull secrets | `[]` |
| `hostAliases` | Add deployment host aliases | `[]` |
| `replicas` | Number of metrics-server nodes to deploy | `1` |
| `updateStrategy.type` | Set up update strategy for metrics-server installation. | `RollingUpdate` |
| `rbac.create` | Enable RBAC authentication | `true` |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `serviceAccount.name` | The name of the ServiceAccount to create | `""` |
| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account | `true` |
| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` |
| `apiService.create` | Specifies whether the v1beta1.metrics.k8s.io API service should be created. You can check if it is needed with `kubectl get --raw "/apis/metrics.k8s.io/v1beta1/nodes"`. | `false` |
| `apiService.insecureSkipTLSVerify` | Specifies whether to skip self-verifying self-signed TLS certificates. Set to "false" if you are providing your own certificates. | `true` |
| `apiService.caBundle` | A base64-encoded string of concatenated certificates for the CA chain for the APIService. | `""` |
| `containerPorts.https` | Port where metrics-server will be running | `8443` |
| `hostNetwork` | Enable hostNetwork mode | `false` |
| `dnsPolicy` | Default dnsPolicy setting | `ClusterFirst` |
| `command` | Override default container command (useful when using custom images) | `[]` |
| `args` | Override default container args (useful when using custom images) | `[]` |
| `lifecycleHooks` | for the metrics-server container(s) to automate configuration before or after startup | `{}` |
| `extraEnvVars` | Array with extra environment variables to add to metrics-server nodes | `[]` |
| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for metrics-server nodes | `""` |
| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars for metrics-server nodes | `""` |
| `extraArgs` | Extra arguments to pass to metrics-server on start up | `[]` |
| `sidecars` | Add additional sidecar containers to the metrics-server pod(s) | `[]` |
| `initContainers` | Add additional init containers to the metrics-server pod(s) | `[]` |
| `podLabels` | Pod labels | `{}` |
| `podAnnotations` | Pod annotations | `{}` |
| `priorityClassName` | Priority class for pod scheduling | `""` |
| `schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `terminationGracePeriodSeconds` | In seconds, time the given to the metrics-server pod needs to terminate gracefully | `""` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `pdb.create` | Create a PodDisruptionBudget | `false` |
| `pdb.minAvailable` | Minimum available instances | `""` |
| `pdb.maxUnavailable` | Maximum unavailable instances | `""` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set. | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` |
| `affinity` | Affinity for pod assignment | `{}` |
| `topologySpreadConstraints` | Topology spread constraints for pod | `[]` |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `tolerations` | Tolerations for pod assignment | `[]` |
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.ports.https` | Kubernetes Service port | `443` |
| `service.nodePorts.https` | Kubernetes Service port | `""` |
| `service.clusterIP` | metrics-server service Cluster IP | `""` |
| `service.loadBalancerIP` | LoadBalancer IP if Service type is `LoadBalancer` | `""` |
| `service.loadBalancerSourceRanges` | metrics-server service Load Balancer sources | `[]` |
| `service.externalTrafficPolicy` | metrics-server service external traffic policy | `Cluster` |
| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` |
| `service.annotations` | Annotations for the Service | `{}` |
| `service.labels` | Labels for the Service | `{}` |
| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `resources.limits` | The resources limits for the container | `{}` |
| `resources.requests` | The requested resources for the container | `{}` |
| `startupProbe.enabled` | Enable startupProbe | `false` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` |
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `0` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `customStartupProbe` | Custom liveness probe for the Web component | `{}` |
| `customLivenessProbe` | Custom Liveness probes for metrics-server | `{}` |
| `customReadinessProbe` | Custom Readiness probes metrics-server | `{}` |
| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `podSecurityContext.enabled` | Pod security context | `false` |
| `podSecurityContext.fsGroup` | Set %%MAIN_CONTAINER_NAME%% pod's Security Context fsGroup | `1001` |
| `extraVolumes` | Extra volumes | `[]` |
| `extraVolumeMounts` | Mount extra volume(s) | `[]` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

20
bitnami/metrics-server/values.yaml
View File

@@ -415,16 +415,26 @@ customLivenessProbe: {}
customReadinessProbe: {}
## Container security context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param containerSecurityContext.enabled Enable Container security context
## @param containerSecurityContext.readOnlyRootFilesystem ReadOnlyRootFilesystem for the container
## @param containerSecurityContext.runAsNonRoot Run containers as non-root users
## @param containerSecurityContext.enabled Enabled containers' Security Context
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param containerSecurityContext.privileged Set container's Security Context privileged
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
##
containerSecurityContext:
enabled: true
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
## Pod security context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param podSecurityContext.enabled Pod security context