diff --git a/bitnami/grafana-mimir/Chart.yaml b/bitnami/grafana-mimir/Chart.yaml index 3e412993aa..1bb54504ea 100644 --- a/bitnami/grafana-mimir/Chart.yaml +++ b/bitnami/grafana-mimir/Chart.yaml @@ -59,4 +59,4 @@ maintainers: name: grafana-mimir sources: - https://github.com/bitnami/charts/tree/main/bitnami/grafana-mimir -version: 0.7.12 +version: 0.8.0 diff --git a/bitnami/grafana-mimir/README.md b/bitnami/grafana-mimir/README.md index 742f8b4509..31c5dbfac2 100644 --- a/bitnami/grafana-mimir/README.md +++ b/bitnami/grafana-mimir/README.md @@ -142,8 +142,12 @@ The command removes all the Kubernetes components associated with the chart and | `alertmanager.resources.limits` | The resources limits for the alertmanager containers | `{}` | | `alertmanager.resources.requests` | The requested resources for the alertmanager containers | `{}` | | `alertmanager.podSecurityContext.enabled` | Enabled Alertmanager pods' Security Context | `true` | +| `alertmanager.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `alertmanager.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `alertmanager.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `alertmanager.podSecurityContext.fsGroup` | Set Alertmanager pod's Security Context fsGroup | `1001` | | `alertmanager.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `alertmanager.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `alertmanager.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `alertmanager.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `alertmanager.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -241,8 +245,12 @@ The command removes all the Kubernetes components associated with the chart and | `compactor.resources.limits` | The resources limits for the compactor containers | `{}` | | `compactor.resources.requests` | The requested resources for the compactor containers | `{}` | | `compactor.podSecurityContext.enabled` | Enabled Compactor pods' Security Context | `true` | +| `compactor.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `compactor.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `compactor.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `compactor.podSecurityContext.fsGroup` | Set Compactor pod's Security Context fsGroup | `1001` | | `compactor.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `compactor.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `compactor.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `compactor.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `compactor.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -336,8 +344,12 @@ The command removes all the Kubernetes components associated with the chart and | `distributor.resources.limits` | The resources limits for the distributor containers | `{}` | | `distributor.resources.requests` | The requested resources for the distributor containers | `{}` | | `distributor.podSecurityContext.enabled` | Enabled Distributor pods' Security Context | `true` | +| `distributor.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `distributor.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `distributor.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `distributor.podSecurityContext.fsGroup` | Set Distributor pod's Security Context fsGroup | `1001` | | `distributor.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `distributor.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `distributor.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `distributor.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `distributor.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -437,8 +449,12 @@ The command removes all the Kubernetes components associated with the chart and | `gateway.resources.limits` | The resources limits for the gateway containers | `{}` | | `gateway.resources.requests` | The requested resources for the gateway containers | `{}` | | `gateway.podSecurityContext.enabled` | Enabled Gateway pods' Security Context | `true` | +| `gateway.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `gateway.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `gateway.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `gateway.podSecurityContext.fsGroup` | Set Gateway pod's Security Context fsGroup | `1001` | | `gateway.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `gateway.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `gateway.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `gateway.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `gateway.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -536,8 +552,12 @@ The command removes all the Kubernetes components associated with the chart and | `ingester.resources.limits` | The resources limits for the ingester containers | `{}` | | `ingester.resources.requests` | The requested resources for the ingester containers | `{}` | | `ingester.podSecurityContext.enabled` | Enabled Ingester pods' Security Context | `true` | +| `ingester.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `ingester.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `ingester.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `ingester.podSecurityContext.fsGroup` | Set Ingester pod's Security Context fsGroup | `1001` | | `ingester.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `ingester.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `ingester.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `ingester.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `ingester.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -628,8 +648,12 @@ The command removes all the Kubernetes components associated with the chart and | `overridesExporter.resources.limits` | The resources limits for the overrides-exporter containers | `{}` | | `overridesExporter.resources.requests` | The requested resources for the overrides-exporter containers | `{}` | | `overridesExporter.podSecurityContext.enabled` | Enabled Overrides Exporter pods' Security Context | `true` | +| `overridesExporter.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `overridesExporter.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `overridesExporter.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `overridesExporter.podSecurityContext.fsGroup` | Set Overrides Exporter pod's Security Context fsGroup | `1001` | | `overridesExporter.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `overridesExporter.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `overridesExporter.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `overridesExporter.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `overridesExporter.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -717,8 +741,12 @@ The command removes all the Kubernetes components associated with the chart and | `querier.resources.limits` | The resources limits for the querier containers | `{}` | | `querier.resources.requests` | The requested resources for the querier containers | `{}` | | `querier.podSecurityContext.enabled` | Enabled Querier pods' Security Context | `true` | +| `querier.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `querier.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `querier.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `querier.podSecurityContext.fsGroup` | Set Querier pod's Security Context fsGroup | `1001` | | `querier.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `querier.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `querier.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `querier.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `querier.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -806,8 +834,12 @@ The command removes all the Kubernetes components associated with the chart and | `queryFrontend.resources.limits` | The resources limits for the ingester containers | `{}` | | `queryFrontend.resources.requests` | The requested resources for the ingester containers | `{}` | | `queryFrontend.podSecurityContext.enabled` | Enabled Query Frontend pods' Security Context | `true` | +| `queryFrontend.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `queryFrontend.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `queryFrontend.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `queryFrontend.podSecurityContext.fsGroup` | Set Query Frontend pod's Security Context fsGroup | `1001` | | `queryFrontend.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `queryFrontend.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `queryFrontend.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `queryFrontend.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `queryFrontend.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -891,8 +923,12 @@ The command removes all the Kubernetes components associated with the chart and | `queryScheduler.resources.limits` | The resources limits for the query-scheduler containers | `{}` | | `queryScheduler.resources.requests` | The requested resources for the query-scheduler containers | `{}` | | `queryScheduler.podSecurityContext.enabled` | Enabled Query Scheduler pods' Security Context | `true` | +| `queryScheduler.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `queryScheduler.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `queryScheduler.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `queryScheduler.podSecurityContext.fsGroup` | Set Query Scheduler pod's Security Context fsGroup | `1001` | | `queryScheduler.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `queryScheduler.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `queryScheduler.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `queryScheduler.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `queryScheduler.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -981,8 +1017,12 @@ The command removes all the Kubernetes components associated with the chart and | `storeGateway.resources.limits` | The resources limits for the ingester containers | `{}` | | `storeGateway.resources.requests` | The requested resources for the ingester containers | `{}` | | `storeGateway.podSecurityContext.enabled` | Enabled Store Gateway pods' Security Context | `true` | +| `storeGateway.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `storeGateway.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `storeGateway.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `storeGateway.podSecurityContext.fsGroup` | Set Store Gateway pod's Security Context fsGroup | `1001` | | `storeGateway.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `storeGateway.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `storeGateway.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `storeGateway.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `storeGateway.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -1081,8 +1121,12 @@ The command removes all the Kubernetes components associated with the chart and | `ruler.resources.limits` | The resources limits for the Ruler containers | `{}` | | `ruler.resources.requests` | The requested resources for the Ruler containers | `{}` | | `ruler.podSecurityContext.enabled` | Enabled Ruler pods' Security Context | `true` | +| `ruler.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `ruler.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `ruler.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `ruler.podSecurityContext.fsGroup` | Set Ruler pod's Security Context fsGroup | `1001` | | `ruler.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `ruler.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `ruler.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `ruler.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `ruler.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -1148,16 +1192,17 @@ The command removes all the Kubernetes components associated with the chart and ### Init Container Parameters -| Name | Description | Value | -| ------------------------------------------------------ | ----------------------------------------------------------------------------------------------- | -------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | -| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` | -| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` | -| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | +| Name | Description | Value | +| ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` | +| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | ### Other Parameters diff --git a/bitnami/grafana-mimir/values.yaml b/bitnami/grafana-mimir/values.yaml index 1d58cf69f9..244da93147 100644 --- a/bitnami/grafana-mimir/values.yaml +++ b/bitnami/grafana-mimir/values.yaml @@ -431,14 +431,21 @@ alertmanager: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param alertmanager.podSecurityContext.enabled Enabled Alertmanager pods' Security Context + ## @param alertmanager.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param alertmanager.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param alertmanager.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param alertmanager.podSecurityContext.fsGroup Set Alertmanager pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param alertmanager.containerSecurityContext.enabled Enabled containers' Security Context + ## @param alertmanager.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param alertmanager.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param alertmanager.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param alertmanager.containerSecurityContext.privileged Set container's Security Context privileged @@ -449,6 +456,7 @@ alertmanager: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -790,14 +798,21 @@ compactor: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param compactor.podSecurityContext.enabled Enabled Compactor pods' Security Context + ## @param compactor.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param compactor.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param compactor.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param compactor.podSecurityContext.fsGroup Set Compactor pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param compactor.containerSecurityContext.enabled Enabled containers' Security Context + ## @param compactor.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param compactor.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param compactor.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param compactor.containerSecurityContext.privileged Set container's Security Context privileged @@ -808,6 +823,7 @@ compactor: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1123,14 +1139,21 @@ distributor: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param distributor.podSecurityContext.enabled Enabled Distributor pods' Security Context + ## @param distributor.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param distributor.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param distributor.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param distributor.podSecurityContext.fsGroup Set Distributor pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param distributor.containerSecurityContext.enabled Enabled containers' Security Context + ## @param distributor.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param distributor.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param distributor.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param distributor.containerSecurityContext.privileged Set container's Security Context privileged @@ -1141,6 +1164,7 @@ distributor: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1471,14 +1495,21 @@ gateway: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param gateway.podSecurityContext.enabled Enabled Gateway pods' Security Context + ## @param gateway.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param gateway.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param gateway.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param gateway.podSecurityContext.fsGroup Set Gateway pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param gateway.containerSecurityContext.enabled Enabled containers' Security Context + ## @param gateway.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param gateway.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param gateway.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param gateway.containerSecurityContext.privileged Set container's Security Context privileged @@ -1489,6 +1520,7 @@ gateway: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1856,14 +1888,21 @@ ingester: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param ingester.podSecurityContext.enabled Enabled Ingester pods' Security Context + ## @param ingester.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param ingester.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param ingester.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param ingester.podSecurityContext.fsGroup Set Ingester pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param ingester.containerSecurityContext.enabled Enabled containers' Security Context + ## @param ingester.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param ingester.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param ingester.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param ingester.containerSecurityContext.privileged Set container's Security Context privileged @@ -1874,6 +1913,7 @@ ingester: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -2198,14 +2238,21 @@ overridesExporter: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param overridesExporter.podSecurityContext.enabled Enabled Overrides Exporter pods' Security Context + ## @param overridesExporter.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param overridesExporter.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param overridesExporter.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param overridesExporter.podSecurityContext.fsGroup Set Overrides Exporter pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param overridesExporter.containerSecurityContext.enabled Enabled containers' Security Context + ## @param overridesExporter.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param overridesExporter.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param overridesExporter.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param overridesExporter.containerSecurityContext.privileged Set container's Security Context privileged @@ -2216,6 +2263,7 @@ overridesExporter: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -2500,14 +2548,21 @@ querier: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param querier.podSecurityContext.enabled Enabled Querier pods' Security Context + ## @param querier.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param querier.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param querier.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param querier.podSecurityContext.fsGroup Set Querier pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param querier.containerSecurityContext.enabled Enabled containers' Security Context + ## @param querier.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param querier.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param querier.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param querier.containerSecurityContext.privileged Set container's Security Context privileged @@ -2518,6 +2573,7 @@ querier: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -2802,14 +2858,21 @@ queryFrontend: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param queryFrontend.podSecurityContext.enabled Enabled Query Frontend pods' Security Context + ## @param queryFrontend.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param queryFrontend.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param queryFrontend.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param queryFrontend.podSecurityContext.fsGroup Set Query Frontend pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param queryFrontend.containerSecurityContext.enabled Enabled containers' Security Context + ## @param queryFrontend.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param queryFrontend.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param queryFrontend.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param queryFrontend.containerSecurityContext.privileged Set container's Security Context privileged @@ -2820,6 +2883,7 @@ queryFrontend: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -3107,14 +3171,21 @@ queryScheduler: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param queryScheduler.podSecurityContext.enabled Enabled Query Scheduler pods' Security Context + ## @param queryScheduler.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param queryScheduler.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param queryScheduler.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param queryScheduler.podSecurityContext.fsGroup Set Query Scheduler pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param queryScheduler.containerSecurityContext.enabled Enabled containers' Security Context + ## @param queryScheduler.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param queryScheduler.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param queryScheduler.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param queryScheduler.containerSecurityContext.privileged Set container's Security Context privileged @@ -3125,6 +3196,7 @@ queryScheduler: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -3413,14 +3485,21 @@ storeGateway: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param storeGateway.podSecurityContext.enabled Enabled Store Gateway pods' Security Context + ## @param storeGateway.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param storeGateway.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param storeGateway.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param storeGateway.podSecurityContext.fsGroup Set Store Gateway pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param storeGateway.containerSecurityContext.enabled Enabled containers' Security Context + ## @param storeGateway.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param storeGateway.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param storeGateway.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param storeGateway.containerSecurityContext.privileged Set container's Security Context privileged @@ -3431,6 +3510,7 @@ storeGateway: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -3765,14 +3845,21 @@ ruler: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param ruler.podSecurityContext.enabled Enabled Ruler pods' Security Context + ## @param ruler.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param ruler.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param ruler.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param ruler.podSecurityContext.fsGroup Set Ruler pod's Security Context fsGroup ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param ruler.containerSecurityContext.enabled Enabled containers' Security Context + ## @param ruler.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param ruler.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param ruler.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param ruler.containerSecurityContext.privileged Set container's Security Context privileged @@ -3783,6 +3870,7 @@ ruler: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -4059,12 +4147,14 @@ volumePermissions: requests: {} ## Init container Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) ## containerSecurityContext: + seLinuxOptions: {} runAsUser: 0 ## @section Other Parameters