Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-06 06:58:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/grafana-mimir] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essential security fields (#22125)

Browse Source 
* [bitnami/grafana-mimir] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essential security fields

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* chore: 🔧 Bump chart version

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-01-16 15:48:03 +01:00
committed by GitHub
parent fd003d018c
commit 368af3d48f
3 changed files with 146 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/grafana-mimir/Chart.yaml
View File

@@ -59,4 +59,4 @@ maintainers:
name: grafana-mimir
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/grafana-mimir
version: 0.7.12
version: 0.8.0

65
bitnami/grafana-mimir/README.md
View File

@@ -142,8 +142,12 @@ The command removes all the Kubernetes components associated with the chart and
| `alertmanager.resources.limits` | The resources limits for the alertmanager containers | `{}` |
| `alertmanager.resources.requests` | The requested resources for the alertmanager containers | `{}` |
| `alertmanager.podSecurityContext.enabled` | Enabled Alertmanager pods' Security Context | `true` |
| `alertmanager.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `alertmanager.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `alertmanager.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `alertmanager.podSecurityContext.fsGroup` | Set Alertmanager pod's Security Context fsGroup | `1001` |
| `alertmanager.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `alertmanager.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `alertmanager.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `alertmanager.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `alertmanager.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -241,8 +245,12 @@ The command removes all the Kubernetes components associated with the chart and
| `compactor.resources.limits` | The resources limits for the compactor containers | `{}` |
| `compactor.resources.requests` | The requested resources for the compactor containers | `{}` |
| `compactor.podSecurityContext.enabled` | Enabled Compactor pods' Security Context | `true` |
| `compactor.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `compactor.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `compactor.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `compactor.podSecurityContext.fsGroup` | Set Compactor pod's Security Context fsGroup | `1001` |
| `compactor.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `compactor.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `compactor.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `compactor.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `compactor.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -336,8 +344,12 @@ The command removes all the Kubernetes components associated with the chart and
| `distributor.resources.limits` | The resources limits for the distributor containers | `{}` |
| `distributor.resources.requests` | The requested resources for the distributor containers | `{}` |
| `distributor.podSecurityContext.enabled` | Enabled Distributor pods' Security Context | `true` |
| `distributor.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `distributor.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `distributor.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `distributor.podSecurityContext.fsGroup` | Set Distributor pod's Security Context fsGroup | `1001` |
| `distributor.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `distributor.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `distributor.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `distributor.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `distributor.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -437,8 +449,12 @@ The command removes all the Kubernetes components associated with the chart and
| `gateway.resources.limits` | The resources limits for the gateway containers | `{}` |
| `gateway.resources.requests` | The requested resources for the gateway containers | `{}` |
| `gateway.podSecurityContext.enabled` | Enabled Gateway pods' Security Context | `true` |
| `gateway.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `gateway.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `gateway.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `gateway.podSecurityContext.fsGroup` | Set Gateway pod's Security Context fsGroup | `1001` |
| `gateway.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `gateway.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `gateway.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `gateway.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `gateway.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -536,8 +552,12 @@ The command removes all the Kubernetes components associated with the chart and
| `ingester.resources.limits` | The resources limits for the ingester containers | `{}` |
| `ingester.resources.requests` | The requested resources for the ingester containers | `{}` |
| `ingester.podSecurityContext.enabled` | Enabled Ingester pods' Security Context | `true` |
| `ingester.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `ingester.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `ingester.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `ingester.podSecurityContext.fsGroup` | Set Ingester pod's Security Context fsGroup | `1001` |
| `ingester.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `ingester.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `ingester.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `ingester.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `ingester.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -628,8 +648,12 @@ The command removes all the Kubernetes components associated with the chart and
| `overridesExporter.resources.limits` | The resources limits for the overrides-exporter containers | `{}` |
| `overridesExporter.resources.requests` | The requested resources for the overrides-exporter containers | `{}` |
| `overridesExporter.podSecurityContext.enabled` | Enabled Overrides Exporter pods' Security Context | `true` |
| `overridesExporter.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `overridesExporter.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `overridesExporter.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `overridesExporter.podSecurityContext.fsGroup` | Set Overrides Exporter pod's Security Context fsGroup | `1001` |
| `overridesExporter.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `overridesExporter.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `overridesExporter.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `overridesExporter.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `overridesExporter.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -717,8 +741,12 @@ The command removes all the Kubernetes components associated with the chart and
| `querier.resources.limits` | The resources limits for the querier containers | `{}` |
| `querier.resources.requests` | The requested resources for the querier containers | `{}` |
| `querier.podSecurityContext.enabled` | Enabled Querier pods' Security Context | `true` |
| `querier.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `querier.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `querier.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `querier.podSecurityContext.fsGroup` | Set Querier pod's Security Context fsGroup | `1001` |
| `querier.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `querier.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `querier.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `querier.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `querier.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -806,8 +834,12 @@ The command removes all the Kubernetes components associated with the chart and
| `queryFrontend.resources.limits` | The resources limits for the ingester containers | `{}` |
| `queryFrontend.resources.requests` | The requested resources for the ingester containers | `{}` |
| `queryFrontend.podSecurityContext.enabled` | Enabled Query Frontend pods' Security Context | `true` |
| `queryFrontend.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `queryFrontend.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `queryFrontend.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `queryFrontend.podSecurityContext.fsGroup` | Set Query Frontend pod's Security Context fsGroup | `1001` |
| `queryFrontend.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `queryFrontend.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `queryFrontend.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `queryFrontend.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `queryFrontend.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -891,8 +923,12 @@ The command removes all the Kubernetes components associated with the chart and
| `queryScheduler.resources.limits` | The resources limits for the query-scheduler containers | `{}` |
| `queryScheduler.resources.requests` | The requested resources for the query-scheduler containers | `{}` |
| `queryScheduler.podSecurityContext.enabled` | Enabled Query Scheduler pods' Security Context | `true` |
| `queryScheduler.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `queryScheduler.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `queryScheduler.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `queryScheduler.podSecurityContext.fsGroup` | Set Query Scheduler pod's Security Context fsGroup | `1001` |
| `queryScheduler.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `queryScheduler.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `queryScheduler.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `queryScheduler.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `queryScheduler.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -981,8 +1017,12 @@ The command removes all the Kubernetes components associated with the chart and
| `storeGateway.resources.limits` | The resources limits for the ingester containers | `{}` |
| `storeGateway.resources.requests` | The requested resources for the ingester containers | `{}` |
| `storeGateway.podSecurityContext.enabled` | Enabled Store Gateway pods' Security Context | `true` |
| `storeGateway.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `storeGateway.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `storeGateway.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `storeGateway.podSecurityContext.fsGroup` | Set Store Gateway pod's Security Context fsGroup | `1001` |
| `storeGateway.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `storeGateway.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `storeGateway.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `storeGateway.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `storeGateway.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -1081,8 +1121,12 @@ The command removes all the Kubernetes components associated with the chart and
| `ruler.resources.limits` | The resources limits for the Ruler containers | `{}` |
| `ruler.resources.requests` | The requested resources for the Ruler containers | `{}` |
| `ruler.podSecurityContext.enabled` | Enabled Ruler pods' Security Context | `true` |
| `ruler.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `ruler.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `ruler.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `ruler.podSecurityContext.fsGroup` | Set Ruler pod's Security Context fsGroup | `1001` |
| `ruler.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `ruler.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `ruler.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `ruler.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `ruler.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -1148,16 +1192,17 @@ The command removes all the Kubernetes components associated with the chart and
### Init Container Parameters
| Name | Description | Value |
| ------------------------------------------------------ | ----------------------------------------------------------------------------------------------- | -------------------------- |
| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` |
| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` |
| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` |
| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` |
| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` |
| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` |
| Name | Description | Value |
| ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | -------------------------- |
| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` |
| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` |
| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` |
| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` |
| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` |
| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` |
### Other Parameters

90
bitnami/grafana-mimir/values.yaml
View File

@@ -431,14 +431,21 @@ alertmanager:
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param alertmanager.podSecurityContext.enabled Enabled Alertmanager pods' Security Context
## @param alertmanager.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param alertmanager.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param alertmanager.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param alertmanager.podSecurityContext.fsGroup Set Alertmanager pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param alertmanager.containerSecurityContext.enabled Enabled containers' Security Context
## @param alertmanager.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param alertmanager.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param alertmanager.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param alertmanager.containerSecurityContext.privileged Set container's Security Context privileged
@@ -449,6 +456,7 @@ alertmanager:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -790,14 +798,21 @@ compactor:
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param compactor.podSecurityContext.enabled Enabled Compactor pods' Security Context
## @param compactor.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param compactor.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param compactor.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param compactor.podSecurityContext.fsGroup Set Compactor pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param compactor.containerSecurityContext.enabled Enabled containers' Security Context
## @param compactor.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param compactor.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param compactor.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param compactor.containerSecurityContext.privileged Set container's Security Context privileged
@@ -808,6 +823,7 @@ compactor:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -1123,14 +1139,21 @@ distributor:
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param distributor.podSecurityContext.enabled Enabled Distributor pods' Security Context
## @param distributor.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param distributor.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param distributor.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param distributor.podSecurityContext.fsGroup Set Distributor pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param distributor.containerSecurityContext.enabled Enabled containers' Security Context
## @param distributor.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param distributor.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param distributor.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param distributor.containerSecurityContext.privileged Set container's Security Context privileged
@@ -1141,6 +1164,7 @@ distributor:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -1471,14 +1495,21 @@ gateway:
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param gateway.podSecurityContext.enabled Enabled Gateway pods' Security Context
## @param gateway.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param gateway.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param gateway.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param gateway.podSecurityContext.fsGroup Set Gateway pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param gateway.containerSecurityContext.enabled Enabled containers' Security Context
## @param gateway.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param gateway.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param gateway.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param gateway.containerSecurityContext.privileged Set container's Security Context privileged
@@ -1489,6 +1520,7 @@ gateway:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -1856,14 +1888,21 @@ ingester:
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param ingester.podSecurityContext.enabled Enabled Ingester pods' Security Context
## @param ingester.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param ingester.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param ingester.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param ingester.podSecurityContext.fsGroup Set Ingester pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param ingester.containerSecurityContext.enabled Enabled containers' Security Context
## @param ingester.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param ingester.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param ingester.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param ingester.containerSecurityContext.privileged Set container's Security Context privileged
@@ -1874,6 +1913,7 @@ ingester:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -2198,14 +2238,21 @@ overridesExporter:
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param overridesExporter.podSecurityContext.enabled Enabled Overrides Exporter pods' Security Context
## @param overridesExporter.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param overridesExporter.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param overridesExporter.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param overridesExporter.podSecurityContext.fsGroup Set Overrides Exporter pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param overridesExporter.containerSecurityContext.enabled Enabled containers' Security Context
## @param overridesExporter.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param overridesExporter.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param overridesExporter.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param overridesExporter.containerSecurityContext.privileged Set container's Security Context privileged
@@ -2216,6 +2263,7 @@ overridesExporter:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -2500,14 +2548,21 @@ querier:
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param querier.podSecurityContext.enabled Enabled Querier pods' Security Context
## @param querier.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param querier.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param querier.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param querier.podSecurityContext.fsGroup Set Querier pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param querier.containerSecurityContext.enabled Enabled containers' Security Context
## @param querier.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param querier.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param querier.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param querier.containerSecurityContext.privileged Set container's Security Context privileged
@@ -2518,6 +2573,7 @@ querier:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -2802,14 +2858,21 @@ queryFrontend:
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param queryFrontend.podSecurityContext.enabled Enabled Query Frontend pods' Security Context
## @param queryFrontend.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param queryFrontend.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param queryFrontend.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param queryFrontend.podSecurityContext.fsGroup Set Query Frontend pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param queryFrontend.containerSecurityContext.enabled Enabled containers' Security Context
## @param queryFrontend.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param queryFrontend.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param queryFrontend.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param queryFrontend.containerSecurityContext.privileged Set container's Security Context privileged
@@ -2820,6 +2883,7 @@ queryFrontend:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -3107,14 +3171,21 @@ queryScheduler:
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param queryScheduler.podSecurityContext.enabled Enabled Query Scheduler pods' Security Context
## @param queryScheduler.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param queryScheduler.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param queryScheduler.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param queryScheduler.podSecurityContext.fsGroup Set Query Scheduler pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param queryScheduler.containerSecurityContext.enabled Enabled containers' Security Context
## @param queryScheduler.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param queryScheduler.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param queryScheduler.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param queryScheduler.containerSecurityContext.privileged Set container's Security Context privileged
@@ -3125,6 +3196,7 @@ queryScheduler:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -3413,14 +3485,21 @@ storeGateway:
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param storeGateway.podSecurityContext.enabled Enabled Store Gateway pods' Security Context
## @param storeGateway.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param storeGateway.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param storeGateway.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param storeGateway.podSecurityContext.fsGroup Set Store Gateway pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param storeGateway.containerSecurityContext.enabled Enabled containers' Security Context
## @param storeGateway.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param storeGateway.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param storeGateway.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param storeGateway.containerSecurityContext.privileged Set container's Security Context privileged
@@ -3431,6 +3510,7 @@ storeGateway:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -3765,14 +3845,21 @@ ruler:
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param ruler.podSecurityContext.enabled Enabled Ruler pods' Security Context
## @param ruler.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param ruler.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param ruler.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param ruler.podSecurityContext.fsGroup Set Ruler pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param ruler.containerSecurityContext.enabled Enabled containers' Security Context
## @param ruler.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param ruler.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param ruler.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param ruler.containerSecurityContext.privileged Set container's Security Context privileged
@@ -3783,6 +3870,7 @@ ruler:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -4059,12 +4147,14 @@ volumePermissions:
requests: {}
## Init container Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser
## NOTE: when runAsUser is set to special value "auto", init container will try to chown the
## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2`
## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)
##
containerSecurityContext:
seLinuxOptions: {}
runAsUser: 0
## @section Other Parameters