Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-16 14:57:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/apisix] feat: 🔒 Add runAsGroup (#23874)

Browse Source 
* [bitnami/apisix] feat:  🔒 Add runAsGroup

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* chore: 🔧 Bump chart version

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-02-27 16:31:57 +01:00
committed by GitHub
parent 0e302eb5ba
commit 166932f59c
8 changed files with 51 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/apisix/Chart.yaml
View File

@@ -45,4 +45,4 @@ sources:
- https://github.com/bitnami/charts/tree/main/bitnami/apisix
- https://github.com/bitnami/charts/tree/main/bitnami/apisix-dashboard
- https://github.com/bitnami/charts/tree/main/bitnami/apisix-ingress-controller
version: 2.8.2
version: 2.9.0

9
bitnami/apisix/README.md
View File

@@ -124,7 +124,9 @@ The command removes all the Kubernetes components associated with the chart and
| `dataPlane.containerSecurityContext.enabled` | Enabled APISIX containers' Security Context | `true` |
| `dataPlane.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `dataPlane.containerSecurityContext.runAsUser` | Set APISIX containers' Security Context runAsUser | `1001` |
| `dataPlane.containerSecurityContext.runAsGroup` | Set APISIX containers' Security Context runAsGroup | `1001` |
| `dataPlane.containerSecurityContext.runAsNonRoot` | Set APISIX containers' Security Context runAsNonRoot | `true` |
| `dataPlane.containerSecurityContext.privileged` | Set APISIX containers' Security Context privileged | `false` |
| `dataPlane.containerSecurityContext.readOnlyRootFilesystem` | Set APISIX containers' Security Context runAsNonRoot | `true` |
| `dataPlane.containerSecurityContext.allowPrivilegeEscalation` | Set APISIX container's privilege escalation | `false` |
| `dataPlane.containerSecurityContext.capabilities.drop` | Set APISIX container's Security Context runAsNonRoot | `["ALL"]` |
@@ -303,7 +305,9 @@ The command removes all the Kubernetes components associated with the chart and
| `controlPlane.containerSecurityContext.enabled` | Enabled APISIX containers' Security Context | `true` |
| `controlPlane.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `controlPlane.containerSecurityContext.runAsUser` | Set APISIX containers' Security Context runAsUser | `1001` |
| `controlPlane.containerSecurityContext.runAsGroup` | Set APISIX containers' Security Context runAsGroup | `1001` |
| `controlPlane.containerSecurityContext.runAsNonRoot` | Set APISIX containers' Security Context runAsNonRoot | `true` |
| `controlPlane.containerSecurityContext.privileged` | Set APISIX containers' Security Context privileged | `false` |
| `controlPlane.containerSecurityContext.readOnlyRootFilesystem` | Set APISIX containers' Security Context runAsNonRoot | `true` |
| `controlPlane.containerSecurityContext.allowPrivilegeEscalation` | Set APISIX container's privilege escalation | `false` |
| `controlPlane.containerSecurityContext.capabilities.drop` | Set APISIX container's Security Context runAsNonRoot | `["ALL"]` |
@@ -529,6 +533,7 @@ The command removes all the Kubernetes components associated with the chart and
| `dashboard.containerSecurityContext.enabled` | Enabled Dashboard container' Security Context | `true` |
| `dashboard.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `dashboard.containerSecurityContext.runAsUser` | Set Dashboard container' Security Context runAsUser | `1001` |
| `dashboard.containerSecurityContext.runAsGroup` | Set Dashboard container' Security Context runAsGroup | `1001` |
| `dashboard.containerSecurityContext.runAsNonRoot` | Set Dashboard container' Security Context runAsNonRoot | `true` |
| `dashboard.containerSecurityContext.privileged` | Set Dashboard container' Security Context privileged | `false` |
| `dashboard.containerSecurityContext.readOnlyRootFilesystem` | Set Dashboard container' Security Context runAsNonRoot | `true` |
@@ -652,6 +657,7 @@ The command removes all the Kubernetes components associated with the chart and
| `ingressController.containerSecurityContext.enabled` | Enabled APISIX Ingress Controller containers' Security Context | `true` |
| `ingressController.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `ingressController.containerSecurityContext.runAsUser` | Set APISIX Ingress Controller containers' Security Context runAsUser | `1001` |
| `ingressController.containerSecurityContext.runAsGroup` | Set APISIX Ingress Controller containers' Security Context runAsGroup | `1001` |
| `ingressController.containerSecurityContext.runAsNonRoot` | Set APISIX Ingress Controller containers' Security Context runAsNonRoot | `true` |
| `ingressController.containerSecurityContext.privileged` | Set APISIX Ingress Controller containers' Security Context privileged | `false` |
| `ingressController.containerSecurityContext.readOnlyRootFilesystem` | Set APISIX Ingress Controller containers' Security Context runAsNonRoot | `true` |
@@ -794,10 +800,11 @@ The command removes all the Kubernetes components associated with the chart and
| `waitContainer.containerSecurityContext.enabled` | Enabled APISIX containers' Security Context | `true` |
| `waitContainer.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `waitContainer.containerSecurityContext.runAsUser` | Set APISIX containers' Security Context runAsUser | `1001` |
| `waitContainer.containerSecurityContext.runAsGroup` | Set APISIX containers' Security Context runAsGroup | `1001` |
| `waitContainer.containerSecurityContext.runAsNonRoot` | Set APISIX containers' Security Context runAsNonRoot | `true` |
| `waitContainer.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `waitContainer.containerSecurityContext.readOnlyRootFilesystem` | Set APISIX containers' Security Context runAsNonRoot | `true` |
| `waitContainer.containerSecurityContext.allowPrivilegeEscalation` | Set APISIX container's privilege escalation | `false` |
| `waitContainer.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `waitContainer.containerSecurityContext.capabilities.drop` | Set APISIX container's Security Context runAsNonRoot | `["ALL"]` |
| `waitContainer.containerSecurityContext.seccompProfile.type` | Set APISIX container's Security Context seccomp profile | `RuntimeDefault` |

9
bitnami/apisix/templates/_helpers.tpl
View File

@@ -385,12 +385,14 @@ Init container definition for waiting for the database to be ready
name: {{ include "common.tplvalues.render" (dict "value" $block.extraEnvVarsSecret "context" $) }}
{{- end }}
volumeMounts:
- name: apisix-dir
- name: empty-dir
mountPath: /usr/local/apisix
subPath: app-tmp-dir
- name: config
mountPath: /bitnami/apisix/conf/00_default
- name: tmp
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if or $block.extraConfig $block.extraConfigExistingConfigMap }}
- name: extra-config
mountPath: /bitnami/apisix/conf/01_extra
@@ -599,8 +601,9 @@ Render configuration for the dashboard and ingress-controller components
name: {{ include "common.tplvalues.render" (dict "value" $block.extraEnvVarsSecret "context" $) }}
{{- end }}
volumeMounts:
- name: rendered-config
- name: empty-dir
mountPath: /bitnami/apisix/rendered-conf
subPath: app-conf-dir
- name: config
mountPath: /bitnami/apisix/conf/00_default
{{- if or $block.extraConfig $block.extraConfigExistingConfigMap }}

10
bitnami/apisix/templates/control-plane/dep-ds.yaml
View File

@@ -170,10 +170,12 @@ spec:
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.controlPlane.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- name: apisix-dir
- name: empty-dir
mountPath: /usr/local/apisix
- name: tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.controlPlane.tls.enabled }}
- name: certs
mountPath: /bitnami/certs
@@ -198,9 +200,7 @@ spec:
secret:
secretName: {{ template "apisix.control-plane.tlsSecretName" . }}
{{- end }}
- name: apisix-dir
emptyDir: {}
- name: tmp
- name: empty-dir
emptyDir: {}
{{- if .Values.controlPlane.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.controlPlane.extraVolumes "context" $) | nindent 8 }}

10
bitnami/apisix/templates/dashboard/deployment.yaml
View File

@@ -162,10 +162,12 @@ spec:
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- name: rendered-config
- name: empty-dir
mountPath: /bitnami/apisix/conf
- name: log-dir
subPath: app-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/apisix-dashboard/logs
subPath: app-logs-dir
{{- if .Values.dashboard.tls.enabled }}
- name: certs
mountPath: /bitnami/certs
@@ -190,9 +192,7 @@ spec:
secret:
secretName: {{ template "apisix.dashboard.tlsSecretName" . }}
{{- end }}
- name: log-dir
emptyDir: {}
- name: rendered-config
- name: empty-dir
emptyDir: {}
{{- if .Values.dashboard.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.dashboard.extraVolumes "context" $) | nindent 8 }}

10
bitnami/apisix/templates/data-plane/dep-ds.yaml
View File

@@ -172,10 +172,12 @@ spec:
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.dataPlane.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- name: apisix-dir
- name: empty-dir
mountPath: /usr/local/apisix
- name: tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: certs
mountPath: /bitnami/certs
{{- if or .Values.controlPlane.enabled .Values.controlPlane.tls.enabled}}
@@ -203,15 +205,13 @@ spec:
secret:
secretName: {{ template "apisix.data-plane.tlsSecretName" . }}
{{- end }}
- name: apisix-dir
- name: empty-dir
emptyDir: {}
{{- if or .Values.controlPlane.enabled .Values.controlPlane.tls.enabled }}
- name: control-plane-certs
secret:
secretName: {{ template "apisix.control-plane.tlsSecretName" . }}
{{- end }}
- name: tmp
emptyDir: {}
{{- if .Values.dataPlane.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.dataPlane.extraVolumes "context" $) | nindent 8 }}
{{- end }}

10
bitnami/apisix/templates/ingress-controller/deployment.yaml
View File

@@ -163,10 +163,12 @@ spec:
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.ingressController.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- name: rendered-config
- name: empty-dir
mountPath: /bitnami/apisix-ingress-controller/conf
- name: tmp
subPath: app-conf-dir
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.ingressController.tls.enabled }}
- name: certs
mountPath: /bitnami/certs
@@ -191,9 +193,7 @@ spec:
configMap:
name: {{ include "apisix.ingress-controller.extraConfigmapName" . }}
{{- end }}
- name: rendered-config
emptyDir: {}
- name: tmp
- name: empty-dir
emptyDir: {}
{{- if .Values.ingressController.tls.enabled }}
- name: certs

18
bitnami/apisix/values.yaml
View File

@@ -205,7 +205,9 @@ dataPlane:
## @param dataPlane.containerSecurityContext.enabled Enabled APISIX containers' Security Context
## @param dataPlane.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param dataPlane.containerSecurityContext.runAsUser Set APISIX containers' Security Context runAsUser
## @param dataPlane.containerSecurityContext.runAsGroup Set APISIX containers' Security Context runAsGroup
## @param dataPlane.containerSecurityContext.runAsNonRoot Set APISIX containers' Security Context runAsNonRoot
## @param dataPlane.containerSecurityContext.privileged Set APISIX containers' Security Context privileged
## @param dataPlane.containerSecurityContext.readOnlyRootFilesystem Set APISIX containers' Security Context runAsNonRoot
## @param dataPlane.containerSecurityContext.allowPrivilegeEscalation Set APISIX container's privilege escalation
## @param dataPlane.containerSecurityContext.capabilities.drop Set APISIX container's Security Context runAsNonRoot
@@ -215,7 +217,9 @@ dataPlane:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
@@ -962,7 +966,9 @@ controlPlane:
## @param controlPlane.containerSecurityContext.enabled Enabled APISIX containers' Security Context
## @param controlPlane.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param controlPlane.containerSecurityContext.runAsUser Set APISIX containers' Security Context runAsUser
## @param controlPlane.containerSecurityContext.runAsGroup Set APISIX containers' Security Context runAsGroup
## @param controlPlane.containerSecurityContext.runAsNonRoot Set APISIX containers' Security Context runAsNonRoot
## @param controlPlane.containerSecurityContext.privileged Set APISIX containers' Security Context privileged
## @param controlPlane.containerSecurityContext.readOnlyRootFilesystem Set APISIX containers' Security Context runAsNonRoot
## @param controlPlane.containerSecurityContext.allowPrivilegeEscalation Set APISIX container's privilege escalation
## @param controlPlane.containerSecurityContext.capabilities.drop Set APISIX container's Security Context runAsNonRoot
@@ -972,7 +978,9 @@ controlPlane:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
@@ -2043,6 +2051,7 @@ dashboard:
## @param dashboard.containerSecurityContext.enabled Enabled Dashboard container' Security Context
## @param dashboard.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param dashboard.containerSecurityContext.runAsUser Set Dashboard container' Security Context runAsUser
## @param dashboard.containerSecurityContext.runAsGroup Set Dashboard container' Security Context runAsGroup
## @param dashboard.containerSecurityContext.runAsNonRoot Set Dashboard container' Security Context runAsNonRoot
## @param dashboard.containerSecurityContext.privileged Set Dashboard container' Security Context privileged
## @param dashboard.containerSecurityContext.readOnlyRootFilesystem Set Dashboard container' Security Context runAsNonRoot
@@ -2054,9 +2063,10 @@ dashboard:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
readOnlyRootFilesystem: true
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
@@ -2499,6 +2509,7 @@ ingressController:
## @param ingressController.containerSecurityContext.enabled Enabled APISIX Ingress Controller containers' Security Context
## @param ingressController.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param ingressController.containerSecurityContext.runAsUser Set APISIX Ingress Controller containers' Security Context runAsUser
## @param ingressController.containerSecurityContext.runAsGroup Set APISIX Ingress Controller containers' Security Context runAsGroup
## @param ingressController.containerSecurityContext.runAsNonRoot Set APISIX Ingress Controller containers' Security Context runAsNonRoot
## @param ingressController.containerSecurityContext.privileged Set APISIX Ingress Controller containers' Security Context privileged
## @param ingressController.containerSecurityContext.readOnlyRootFilesystem Set APISIX Ingress Controller containers' Security Context runAsNonRoot
@@ -2510,6 +2521,7 @@ ingressController:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: true
@@ -3104,10 +3116,11 @@ waitContainer:
## @param waitContainer.containerSecurityContext.enabled Enabled APISIX containers' Security Context
## @param waitContainer.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param waitContainer.containerSecurityContext.runAsUser Set APISIX containers' Security Context runAsUser
## @param waitContainer.containerSecurityContext.runAsGroup Set APISIX containers' Security Context runAsGroup
## @param waitContainer.containerSecurityContext.runAsNonRoot Set APISIX containers' Security Context runAsNonRoot
## @param waitContainer.containerSecurityContext.privileged Set container's Security Context privileged
## @param waitContainer.containerSecurityContext.readOnlyRootFilesystem Set APISIX containers' Security Context runAsNonRoot
## @param waitContainer.containerSecurityContext.allowPrivilegeEscalation Set APISIX container's privilege escalation
## @param waitContainer.containerSecurityContext.privileged Set container's Security Context privileged
## @param waitContainer.containerSecurityContext.capabilities.drop Set APISIX container's Security Context runAsNonRoot
## @param waitContainer.containerSecurityContext.seccompProfile.type Set APISIX container's Security Context seccomp profile
##
@@ -3115,6 +3128,7 @@ waitContainer:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: true