Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-14 14:57:22 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/mongodb] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essential security fields (#22159)

Browse Source 
* [bitnami/mongodb] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essential security fields

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* chore: 🔧 Bump chart version

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* fix: 🐛 Remove extra parameter

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-01-17 17:33:20 +01:00
committed by GitHub
parent fe72f51910
commit 29831ee42d
3 changed files with 45 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/mongodb/Chart.yaml
View File

@@ -39,4 +39,4 @@ maintainers:
name: mongodb
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/mongodb
version: 14.5.1
version: 14.6.0

33
bitnami/mongodb/README.md
View File

@@ -189,9 +189,12 @@ Refer to the [chart documentation for more information on each of these architec
| `priorityClassName` | Name of the existing priority class to be used by MongoDB(&reg;) pod(s) | `""` |
| `runtimeClassName` | Name of the runtime class to be used by MongoDB(&reg;) pod(s) | `""` |
| `podSecurityContext.enabled` | Enable MongoDB(&reg;) pod(s)' Security Context | `true` |
| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `podSecurityContext.fsGroup` | Group ID for the volumes of the MongoDB(&reg;) pod(s) | `1001` |
| `podSecurityContext.sysctls` | sysctl settings of the MongoDB(&reg;) pod(s)' | `[]` |
| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -339,6 +342,7 @@ Refer to the [chart documentation for more information on each of these architec
| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` |
| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` |
| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -376,17 +380,18 @@ Refer to the [chart documentation for more information on each of these architec
### Volume Permissions parameters
| Name | Description | Value |
| --------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` |
| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` |
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` |
| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` |
| `volumePermissions.securityContext.runAsUser` | User ID for the volumePermissions container | `0` |
| Name | Description | Value |
| -------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` |
| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` |
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` |
| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` |
| `volumePermissions.securityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `volumePermissions.securityContext.runAsUser` | User ID for the volumePermissions container | `0` |
### Arbiter parameters
@@ -423,9 +428,12 @@ Refer to the [chart documentation for more information on each of these architec
| `arbiter.priorityClassName` | Name of the existing priority class to be used by Arbiter pod(s) | `""` |
| `arbiter.runtimeClassName` | Name of the runtime class to be used by Arbiter pod(s) | `""` |
| `arbiter.podSecurityContext.enabled` | Enable Arbiter pod(s)' Security Context | `true` |
| `arbiter.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `arbiter.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `arbiter.podSecurityContext.fsGroup` | Group ID for the volumes of the Arbiter pod(s) | `1001` |
| `arbiter.podSecurityContext.sysctls` | sysctl settings of the Arbiter pod(s)' | `[]` |
| `arbiter.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `arbiter.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `arbiter.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `arbiter.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `arbiter.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -506,9 +514,12 @@ Refer to the [chart documentation for more information on each of these architec
| `hidden.priorityClassName` | Name of the existing priority class to be used by hidden node pod(s) | `""` |
| `hidden.runtimeClassName` | Name of the runtime class to be used by hidden node pod(s) | `""` |
| `hidden.podSecurityContext.enabled` | Enable Hidden pod(s)' Security Context | `true` |
| `hidden.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `hidden.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `hidden.podSecurityContext.fsGroup` | Group ID for the volumes of the Hidden pod(s) | `1001` |
| `hidden.podSecurityContext.sysctls` | sysctl settings of the Hidden pod(s)' | `[]` |
| `hidden.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `hidden.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `hidden.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `hidden.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `hidden.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |

22
bitnami/mongodb/values.yaml
View File

@@ -535,11 +535,15 @@ runtimeClassName: ""
## MongoDB(&reg;) pods' Security Context.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param podSecurityContext.enabled Enable MongoDB(&reg;) pod(s)' Security Context
## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param podSecurityContext.supplementalGroups Set filesystem extra groups
## @param podSecurityContext.fsGroup Group ID for the volumes of the MongoDB(&reg;) pod(s)
## @param podSecurityContext.sysctls sysctl settings of the MongoDB(&reg;) pod(s)'
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
supplementalGroups: []
fsGroup: 1001
## sysctl settings
## Example:
@@ -551,6 +555,7 @@ podSecurityContext:
## MongoDB(&reg;) containers' Security Context (main and metrics container).
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param containerSecurityContext.enabled Enabled containers' Security Context
## @param containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param containerSecurityContext.privileged Set container's Security Context privileged
@@ -561,6 +566,7 @@ podSecurityContext:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -1185,6 +1191,7 @@ backup:
## backup container's Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context
## @param backup.cronjob.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged
@@ -1195,6 +1202,7 @@ backup:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -1418,9 +1426,11 @@ volumePermissions:
## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed).
## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with
## podSecurityContext.enabled=false,containerSecurityContext.enabled=false and shmVolume.chmod.enabled=false
## @param volumePermissions.securityContext.seLinuxOptions Set SELinux options in container
## @param volumePermissions.securityContext.runAsUser User ID for the volumePermissions container
##
securityContext:
seLinuxOptions: {}
runAsUser: 0
## @section Arbiter parameters
@@ -1561,11 +1571,15 @@ arbiter:
## MongoDB(&reg;) Arbiter pods' Security Context.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param arbiter.podSecurityContext.enabled Enable Arbiter pod(s)' Security Context
## @param arbiter.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param arbiter.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param arbiter.podSecurityContext.fsGroup Group ID for the volumes of the Arbiter pod(s)
## @param arbiter.podSecurityContext.sysctls sysctl settings of the Arbiter pod(s)'
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
supplementalGroups: []
fsGroup: 1001
## sysctl settings
## Example:
@@ -1577,6 +1591,7 @@ arbiter:
## MongoDB(&reg;) Arbiter containers' Security Context (only main container).
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param arbiter.containerSecurityContext.enabled Enabled containers' Security Context
## @param arbiter.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param arbiter.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param arbiter.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param arbiter.containerSecurityContext.privileged Set container's Security Context privileged
@@ -1587,6 +1602,7 @@ arbiter:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -1896,11 +1912,15 @@ hidden:
## MongoDB(&reg;) Hidden pods' Security Context.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param hidden.podSecurityContext.enabled Enable Hidden pod(s)' Security Context
## @param hidden.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param hidden.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param hidden.podSecurityContext.fsGroup Group ID for the volumes of the Hidden pod(s)
## @param hidden.podSecurityContext.sysctls sysctl settings of the Hidden pod(s)'
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
supplementalGroups: []
fsGroup: 1001
## sysctl settings
## Example:
@@ -1912,6 +1932,7 @@ hidden:
## MongoDB(&reg;) Hidden containers' Security Context (only main container).
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param hidden.containerSecurityContext.enabled Enabled containers' Security Context
## @param hidden.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param hidden.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param hidden.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param hidden.containerSecurityContext.privileged Set container's Security Context privileged
@@ -1922,6 +1943,7 @@ hidden:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false