From 1ff114100d2965daa20883a8bcd708ebccbe3fd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Wed, 17 Jan 2024 17:33:48 +0100 Subject: [PATCH] [bitnami/harbor] fix: :lock: Improve podSecurityContext and containerSecurityContext with essential security fields (#22129) * [bitnami/harbor] fix: :lock: Improve podSecurityContext and containerSecurityContext with essential security fields Signed-off-by: Javier Salmeron Garcia * chore: :wrench: Bump chart version Signed-off-by: Javier Salmeron Garcia --------- Signed-off-by: Javier Salmeron Garcia --- bitnami/harbor/Chart.yaml | 2 +- bitnami/harbor/README.md | 54 ++++++++++++++++++++++++++-------- bitnami/harbor/values.yaml | 60 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 103 insertions(+), 13 deletions(-) diff --git a/bitnami/harbor/Chart.yaml b/bitnami/harbor/Chart.yaml index a9c66e9e60..d9746e840f 100644 --- a/bitnami/harbor/Chart.yaml +++ b/bitnami/harbor/Chart.yaml @@ -55,4 +55,4 @@ maintainers: name: harbor sources: - https://github.com/bitnami/charts/tree/main/bitnami/harbor -version: 19.2.3 +version: 19.3.0 diff --git a/bitnami/harbor/README.md b/bitnami/harbor/README.md index a951574a05..49e06dd28f 100644 --- a/bitnami/harbor/README.md +++ b/bitnami/harbor/README.md @@ -241,18 +241,19 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua ### Volume Permissions parameters -| Name | Description | Value | -| ------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | -| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | -| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | -| `volumePermissions.containerSecurityContext.enabled` | Enable init container Security Context | `true` | -| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | +| Name | Description | Value | +| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | +| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | +| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | +| `volumePermissions.containerSecurityContext.enabled` | Enable init container Security Context | `true` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | ### NGINX Parameters @@ -300,8 +301,12 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `nginx.resources.limits` | The resources limits for the NGINX containers | `{}` | | `nginx.resources.requests` | The requested resources for the NGINX containers | `{}` | | `nginx.podSecurityContext.enabled` | Enabled NGINX pods' Security Context | `true` | +| `nginx.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `nginx.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `nginx.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `nginx.podSecurityContext.fsGroup` | Set NGINX pod's Security Context fsGroup | `1001` | | `nginx.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `nginx.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `nginx.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `nginx.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `nginx.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -373,8 +378,12 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `portal.resources.limits` | The resources limits for the Harbor Portal containers | `{}` | | `portal.resources.requests` | The requested resources for the Harbor Portal containers | `{}` | | `portal.podSecurityContext.enabled` | Enabled Harbor Portal pods' Security Context | `true` | +| `portal.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `portal.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `portal.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `portal.podSecurityContext.fsGroup` | Set Harbor Portal pod's Security Context fsGroup | `1001` | | `portal.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `portal.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `portal.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `portal.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `portal.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -462,8 +471,12 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `core.resources.limits` | The resources limits for the Harbor Core containers | `{}` | | `core.resources.requests` | The requested resources for the Harbor Core containers | `{}` | | `core.podSecurityContext.enabled` | Enabled Harbor Core pods' Security Context | `true` | +| `core.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `core.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `core.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `core.podSecurityContext.fsGroup` | Set Harbor Core pod's Security Context fsGroup | `1001` | | `core.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `core.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `core.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `core.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `core.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -545,8 +558,12 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `jobservice.resources.limits` | The resources limits for the Harbor Jobservice containers | `{}` | | `jobservice.resources.requests` | The requested resources for the Harbor Jobservice containers | `{}` | | `jobservice.podSecurityContext.enabled` | Enabled Harbor Jobservice pods' Security Context | `true` | +| `jobservice.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `jobservice.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `jobservice.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `jobservice.podSecurityContext.fsGroup` | Set Harbor Jobservice pod's Security Context fsGroup | `1001` | | `jobservice.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `jobservice.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `jobservice.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `jobservice.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `jobservice.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -599,6 +616,9 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `registry.tls.existingSecret` | Name of an existing secret with the certificates for internal TLS access | `""` | | `registry.replicaCount` | Number of Harbor Registry replicas | `1` | | `registry.podSecurityContext.enabled` | Enabled Harbor Registry pods' Security Context | `true` | +| `registry.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `registry.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `registry.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `registry.podSecurityContext.fsGroup` | Set Harbor Registry pod's Security Context fsGroup | `1001` | | `registry.updateStrategy.type` | Harbor Registry deployment strategy type - only really applicable for deployments with RWO PVs attached | `RollingUpdate` | | `registry.hostAliases` | Harbor Registry pods host aliases | `[]` | @@ -658,6 +678,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `registry.server.resources.limits` | The resources limits for the Harbor Registry main containers | `{}` | | `registry.server.resources.requests` | The requested resources for the Harbor Registry main containers | `{}` | | `registry.server.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `registry.server.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `registry.server.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `registry.server.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `registry.server.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -707,6 +728,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `registry.controller.resources.limits` | The resources limits for the Harbor Registryctl containers | `{}` | | `registry.controller.resources.requests` | The requested resources for the Harbor Registryctl containers | `{}` | | `registry.controller.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `registry.controller.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `registry.controller.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `registry.controller.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `registry.controller.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -771,8 +793,12 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `trivy.resources.limits` | The resources limits for the Trivy containers | `{}` | | `trivy.resources.requests` | The requested resources for the Trivy containers | `{}` | | `trivy.podSecurityContext.enabled` | Enabled Trivy pods' Security Context | `true` | +| `trivy.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `trivy.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `trivy.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `trivy.podSecurityContext.fsGroup` | Set Trivy pod's Security Context fsGroup | `1001` | | `trivy.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `trivy.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `trivy.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `trivy.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `trivy.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -845,8 +871,12 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `exporter.resources.limits` | The resources limits for the Harbor Exporter containers | `{}` | | `exporter.resources.requests` | The requested resources for the Harbor Exporter containers | `{}` | | `exporter.podSecurityContext.enabled` | Enabled Exporter pods' Security Context | `true` | +| `exporter.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `exporter.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `exporter.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `exporter.podSecurityContext.fsGroup` | Set Exporter pod's Security Context fsGroup | `1001` | | `exporter.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `exporter.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `exporter.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `exporter.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `exporter.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | diff --git a/bitnami/harbor/values.yaml b/bitnami/harbor/values.yaml index 3bd6ff2298..ddb610c8e1 100644 --- a/bitnami/harbor/values.yaml +++ b/bitnami/harbor/values.yaml @@ -620,10 +620,12 @@ volumePermissions: ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser ## @param volumePermissions.containerSecurityContext.enabled Enable init container Security Context + ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 0 ## @section NGINX Parameters @@ -771,14 +773,21 @@ nginx: ## Configure NGINX pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param nginx.podSecurityContext.enabled Enabled NGINX pods' Security Context + ## @param nginx.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param nginx.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param nginx.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param nginx.podSecurityContext.fsGroup Set NGINX pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure NGINX containers (only main one) Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param nginx.containerSecurityContext.enabled Enabled containers' Security Context + ## @param nginx.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param nginx.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param nginx.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param nginx.containerSecurityContext.privileged Set container's Security Context privileged @@ -789,6 +798,7 @@ nginx: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1032,14 +1042,21 @@ portal: ## Configure Harbor Portal pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param portal.podSecurityContext.enabled Enabled Harbor Portal pods' Security Context + ## @param portal.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param portal.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param portal.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param portal.podSecurityContext.fsGroup Set Harbor Portal pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Harbor Portal containers (only main one) Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param portal.containerSecurityContext.enabled Enabled containers' Security Context + ## @param portal.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param portal.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param portal.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param portal.containerSecurityContext.privileged Set container's Security Context privileged @@ -1050,6 +1067,7 @@ portal: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1363,14 +1381,21 @@ core: ## Configure Harbor Core pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param core.podSecurityContext.enabled Enabled Harbor Core pods' Security Context + ## @param core.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param core.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param core.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param core.podSecurityContext.fsGroup Set Harbor Core pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Harbor Core containers (only main one) Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param core.containerSecurityContext.enabled Enabled containers' Security Context + ## @param core.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param core.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param core.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param core.containerSecurityContext.privileged Set container's Security Context privileged @@ -1381,6 +1406,7 @@ core: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1658,14 +1684,21 @@ jobservice: ## Configure Harbor Jobservice pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param jobservice.podSecurityContext.enabled Enabled Harbor Jobservice pods' Security Context + ## @param jobservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param jobservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param jobservice.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param jobservice.podSecurityContext.fsGroup Set Harbor Jobservice pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Harbor Jobservice containers (only main one) Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param jobservice.containerSecurityContext.enabled Enabled containers' Security Context + ## @param jobservice.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param jobservice.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param jobservice.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param jobservice.containerSecurityContext.privileged Set container's Security Context privileged @@ -1676,6 +1709,7 @@ jobservice: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1871,10 +1905,16 @@ registry: ## Configure Harbor Registry pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param registry.podSecurityContext.enabled Enabled Harbor Registry pods' Security Context + ## @param registry.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param registry.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param registry.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param registry.podSecurityContext.fsGroup Set Harbor Registry pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## @param registry.updateStrategy.type Harbor Registry deployment strategy type - only really applicable for deployments with RWO PVs attached ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the @@ -2097,6 +2137,7 @@ registry: ## Configure Harbor Registry main containers (only main one) Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param registry.server.containerSecurityContext.enabled Enabled containers' Security Context + ## @param registry.server.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param registry.server.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param registry.server.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param registry.server.containerSecurityContext.privileged Set container's Security Context privileged @@ -2107,6 +2148,7 @@ registry: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -2252,6 +2294,7 @@ registry: ## Configure Harbor Registryctl containers (only main one) Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param registry.controller.containerSecurityContext.enabled Enabled containers' Security Context + ## @param registry.controller.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param registry.controller.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param registry.controller.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param registry.controller.containerSecurityContext.privileged Set container's Security Context privileged @@ -2262,6 +2305,7 @@ registry: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -2466,14 +2510,21 @@ trivy: ## Configure Trivy pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param trivy.podSecurityContext.enabled Enabled Trivy pods' Security Context + ## @param trivy.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param trivy.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param trivy.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param trivy.podSecurityContext.fsGroup Set Trivy pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Trivy containers (only main one) Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param trivy.containerSecurityContext.enabled Enabled containers' Security Context + ## @param trivy.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param trivy.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param trivy.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param trivy.containerSecurityContext.privileged Set container's Security Context privileged @@ -2484,6 +2535,7 @@ trivy: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -2733,14 +2785,21 @@ exporter: ## Configure Exporter pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param exporter.podSecurityContext.enabled Enabled Exporter pods' Security Context + ## @param exporter.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param exporter.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param exporter.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param exporter.podSecurityContext.fsGroup Set Exporter pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Exporter containers (only main one) Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param exporter.containerSecurityContext.enabled Enabled containers' Security Context + ## @param exporter.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param exporter.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param exporter.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param exporter.containerSecurityContext.privileged Set container's Security Context privileged @@ -2751,6 +2810,7 @@ exporter: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false