Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-06 06:58:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: Align sealed-secrets security context to the pod security standards (#13104)

Browse Source 
This aligns the sealed-secrets pod with the pod security standards @ https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

Signed-off-by: Mike Bryant <mike.bryant@mettle.co.uk>

Signed-off-by: Mike Bryant <mike.bryant@mettle.co.uk>
This commit is contained in:
Mike Bryant
2022-10-26 12:39:17 +01:00
committed by GitHub
parent f3eb41dabc
commit 301cd2706b
3 changed files with 83 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/sealed-secrets/Chart.yaml
View File

@@ -23,4 +23,4 @@ name: sealed-secrets
sources:
- https://github.com/bitnami/containers/tree/main/bitnami/sealed-secrets
- https://github.com/bitnami-labs/sealed-secrets
version: 1.1.7
version: 1.1.8

136
bitnami/sealed-secrets/README.md
View File

@@ -77,72 +77,76 @@ The command removes all the Kubernetes components associated with the chart and
### Sealed Secrets Parameters
| Name | Description | Value |
| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ------------------------ |
| `image.registry` | Sealed Secrets image registry | `docker.io` |
| `image.repository` | Sealed Secrets image repository | `bitnami/sealed-secrets` |
| `image.tag` | Sealed Secrets image tag (immutable tags are recommended) | `0.19.1-scratch-r0` |
| `image.digest` | Sealed Secrets image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `image.pullPolicy` | Sealed Secrets image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Sealed Secrets image pull secrets | `[]` |
| `image.debug` | Enable Sealed Secrets image debug mode | `false` |
| `command` | Override default container command (useful when using custom images) | `[]` |
| `commandArgs` | Additional args (doesn't override the default ones) | `[]` |
| `args` | Override default container args (useful when using custom images) | `[]` |
| `containerPorts.http` | Controller HTTP container port to open | `8080` |
| `resources.limits` | The resources limits for the Sealed Secret containers | `{}` |
| `resources.requests` | The requested resources for the Sealed Secret containers | `{}` |
| `livenessProbe.enabled` | Enable livenessProbe on Sealed Secret containers | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe on Sealed Secret containers | `true` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `startupProbe.enabled` | Enable startupProbe on Sealed Secret containers | `false` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `podSecurityContext.enabled` | Enabled Sealed Secret pods' Security Context | `true` |
| `podSecurityContext.fsGroup` | Set Sealed Secret pod's Security Context fsGroup | `1001` |
| `containerSecurityContext.enabled` | Enabled Sealed Secret containers' Security Context | `true` |
| `containerSecurityContext.readOnlyRootFilesystem` | Whether the Sealed Secret container has a read-only root filesystem | `true` |
| `containerSecurityContext.runAsNonRoot` | Indicates that the Sealed Secret container must run as a non-root user | `true` |
| `containerSecurityContext.runAsUser` | Set Sealed Secret containers' Security Context runAsUser | `1001` |
| `hostAliases` | Sealed Secret pods host aliases | `[]` |
| `podLabels` | Extra labels for Sealed Secret pods | `{}` |
| `podAnnotations` | Annotations for Sealed Secret pods | `{}` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` |
| `affinity` | Affinity for Sealed Secret pods assignment | `{}` |
| `nodeSelector` | Node labels for Sealed Secret pods assignment | `{}` |
| `tolerations` | Tolerations for Sealed Secret pods assignment | `[]` |
| `updateStrategy.type` | Sealed Secret statefulset strategy type | `RollingUpdate` |
| `priorityClassName` | Sealed Secret pods' priorityClassName | `""` |
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
| `schedulerName` | Name of the k8s scheduler (other than default) for Sealed Secret pods | `""` |
| `terminationGracePeriodSeconds` | Seconds Redmine pod needs to terminate gracefully | `""` |
| `lifecycleHooks` | for the Sealed Secret container(s) to automate configuration before or after startup | `{}` |
| `extraEnvVars` | Array with extra environment variables to add to Sealed Secret nodes | `[]` |
| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Sealed Secret nodes | `""` |
| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Sealed Secret nodes | `""` |
| `extraVolumes` | Optionally specify extra list of additional volumes for the Sealed Secret pod(s) | `[]` |
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Sealed Secret container(s) | `[]` |
| `sidecars` | Add additional sidecar containers to the Sealed Secret pod(s) | `{}` |
| `initContainers` | Add additional init containers to the Sealed Secret pod(s) | `{}` |
| Name | Description | Value |
| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ------------------------ |
| `image.registry` | Sealed Secrets image registry | `docker.io` |
| `image.repository` | Sealed Secrets image repository | `bitnami/sealed-secrets` |
| `image.tag` | Sealed Secrets image tag (immutable tags are recommended) | `0.19.1-scratch-r0` |
| `image.digest` | Sealed Secrets image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `image.pullPolicy` | Sealed Secrets image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Sealed Secrets image pull secrets | `[]` |
| `image.debug` | Enable Sealed Secrets image debug mode | `false` |
| `command` | Override default container command (useful when using custom images) | `[]` |
| `commandArgs` | Additional args (doesn't override the default ones) | `[]` |
| `args` | Override default container args (useful when using custom images) | `[]` |
| `containerPorts.http` | Controller HTTP container port to open | `8080` |
| `resources.limits` | The resources limits for the Sealed Secret containers | `{}` |
| `resources.requests` | The requested resources for the Sealed Secret containers | `{}` |
| `livenessProbe.enabled` | Enable livenessProbe on Sealed Secret containers | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe on Sealed Secret containers | `true` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `startupProbe.enabled` | Enable startupProbe on Sealed Secret containers | `false` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `podSecurityContext.enabled` | Enabled Sealed Secret pods' Security Context | `true` |
| `podSecurityContext.fsGroup` | Set Sealed Secret pod's Security Context fsGroup | `1001` |
| `podSecurityContext.seccompProfile.type` | Set Sealed Secret pod's Security Context seccompProfile type | `RuntimeDefault` |
| `containerSecurityContext.enabled` | Enabled Sealed Secret containers' Security Context | `true` |
| `containerSecurityContext.allowPrivilegeEscalation` | Whether the Sealed Secret container can escalate privileges | `false` |
| `containerSecurityContext.capabilities.drop` | Which privileges to drop in the Sealed Secret container | `["ALL"]` |
| `containerSecurityContext.readOnlyRootFilesystem` | Whether the Sealed Secret container has a read-only root filesystem | `true` |
| `containerSecurityContext.runAsNonRoot` | Indicates that the Sealed Secret container must run as a non-root user | `true` |
| `containerSecurityContext.runAsUser` | Set Sealed Secret containers' Security Context runAsUser | `1001` |
| `containerSecurityContext.seccompProfile.type` | Set Sealed Secret container's Security Context seccompProfile type | `RuntimeDefault` |
| `hostAliases` | Sealed Secret pods host aliases | `[]` |
| `podLabels` | Extra labels for Sealed Secret pods | `{}` |
| `podAnnotations` | Annotations for Sealed Secret pods | `{}` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` |
| `affinity` | Affinity for Sealed Secret pods assignment | `{}` |
| `nodeSelector` | Node labels for Sealed Secret pods assignment | `{}` |
| `tolerations` | Tolerations for Sealed Secret pods assignment | `[]` |
| `updateStrategy.type` | Sealed Secret statefulset strategy type | `RollingUpdate` |
| `priorityClassName` | Sealed Secret pods' priorityClassName | `""` |
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
| `schedulerName` | Name of the k8s scheduler (other than default) for Sealed Secret pods | `""` |
| `terminationGracePeriodSeconds` | Seconds Redmine pod needs to terminate gracefully | `""` |
| `lifecycleHooks` | for the Sealed Secret container(s) to automate configuration before or after startup | `{}` |
| `extraEnvVars` | Array with extra environment variables to add to Sealed Secret nodes | `[]` |
| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Sealed Secret nodes | `""` |
| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Sealed Secret nodes | `""` |
| `extraVolumes` | Optionally specify extra list of additional volumes for the Sealed Secret pod(s) | `[]` |
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Sealed Secret container(s) | `[]` |
| `sidecars` | Add additional sidecar containers to the Sealed Secret pod(s) | `{}` |
| `initContainers` | Add additional init containers to the Sealed Secret pod(s) | `{}` |
### Traffic Exposure Parameters

12
bitnami/sealed-secrets/values.yaml
View File

@@ -157,22 +157,34 @@ customStartupProbe: {}
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param podSecurityContext.enabled Enabled Sealed Secret pods' Security Context
## @param podSecurityContext.fsGroup Set Sealed Secret pod's Security Context fsGroup
## @param podSecurityContext.seccompProfile.type Set Sealed Secret pod's Security Context seccompProfile type
##
podSecurityContext:
enabled: true
fsGroup: 1001
seccompProfile:
type: RuntimeDefault
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param containerSecurityContext.enabled Enabled Sealed Secret containers' Security Context
## @param containerSecurityContext.allowPrivilegeEscalation Whether the Sealed Secret container can escalate privileges
## @param containerSecurityContext.capabilities.drop Which privileges to drop in the Sealed Secret container
## @param containerSecurityContext.readOnlyRootFilesystem Whether the Sealed Secret container has a read-only root filesystem
## @param containerSecurityContext.runAsNonRoot Indicates that the Sealed Secret container must run as a non-root user
## @param containerSecurityContext.runAsUser Set Sealed Secret containers' Security Context runAsUser
## @param containerSecurityContext.seccompProfile.type Set Sealed Secret container's Security Context seccompProfile type
##
containerSecurityContext:
enabled: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: RuntimeDefault
## @param hostAliases [array] Sealed Secret pods host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##