From 40588f7242de6328b948bb186b8727c76e2f2404 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Wed, 6 Mar 2024 15:28:51 +0100 Subject: [PATCH] [bitnami/memcached] feat: :sparkles: :lock: Add readOnlyRootFilesystem support (#23786) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [bitnami/memcached] feat: :sparkles: :lock: Add readOnlyRootFilesystem support Signed-off-by: Javier Salmeron Garcia * Update values.yaml Signed-off-by: Javier J. Salmerón-García * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * bump version Signed-off-by: Alejandro Moreno --------- Signed-off-by: Javier Salmeron Garcia Signed-off-by: Javier J. Salmerón-García Signed-off-by: Bitnami Containers Signed-off-by: Alejandro Moreno Co-authored-by: Bitnami Containers Co-authored-by: Alejandro Moreno --- bitnami/memcached/Chart.yaml | 2 +- bitnami/memcached/README.md | 4 +++- bitnami/memcached/templates/deployment.yaml | 15 +++++++++++++-- bitnami/memcached/templates/statefulset.yaml | 11 +++++++++-- bitnami/memcached/values.yaml | 6 +++++- 5 files changed, 31 insertions(+), 7 deletions(-) diff --git a/bitnami/memcached/Chart.yaml b/bitnami/memcached/Chart.yaml index fdcbfd8f9f..5d1c9b5392 100644 --- a/bitnami/memcached/Chart.yaml +++ b/bitnami/memcached/Chart.yaml @@ -31,4 +31,4 @@ maintainers: name: memcached sources: - https://github.com/bitnami/charts/tree/main/bitnami/memcached -version: 6.13.0 +version: 6.14.0 diff --git a/bitnami/memcached/README.md b/bitnami/memcached/README.md index c4ec3d944f..a8ed875814 100644 --- a/bitnami/memcached/README.md +++ b/bitnami/memcached/README.md @@ -136,6 +136,7 @@ The command removes all the Kubernetes components associated with the chart and | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -244,9 +245,10 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | diff --git a/bitnami/memcached/templates/deployment.yaml b/bitnami/memcached/templates/deployment.yaml index d83df05537..33ea05bbf5 100644 --- a/bitnami/memcached/templates/deployment.yaml +++ b/bitnami/memcached/templates/deployment.yaml @@ -153,8 +153,12 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - - name: tmp + - name: empty-dir + mountPath: /opt/bitnami/memcached/conf + subPath: app-conf-dir + - name: empty-dir mountPath: /tmp + subPath: tmp-dir {{- if .Values.extraVolumeMounts }} {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} {{- end }} @@ -197,12 +201,19 @@ spec: {{- else if ne .Values.metrics.resourcesPreset "none" }} resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} {{- end }} {{- if .Values.sidecars }} {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} volumes: - - name: tmp + - name: empty-dir emptyDir: {} {{- if .Values.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} diff --git a/bitnami/memcached/templates/statefulset.yaml b/bitnami/memcached/templates/statefulset.yaml index 45012456cc..d5f3d54c09 100644 --- a/bitnami/memcached/templates/statefulset.yaml +++ b/bitnami/memcached/templates/statefulset.yaml @@ -100,6 +100,9 @@ spec: volumeMounts: - name: data mountPath: /cache-state + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} {{- if .Values.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} @@ -203,8 +206,12 @@ spec: - name: data mountPath: /cache-state {{- end }} - - name: tmp + - name: empty-dir + mountPath: /opt/bitnami/memcached/conf + subPath: app-conf-dir + - name: empty-dir mountPath: /tmp + subPath: tmp-dir {{- if .Values.extraVolumeMounts }} {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} {{- end }} @@ -253,7 +260,7 @@ spec: {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $ ) | nindent 8 }} {{- end }} volumes: - - name: tmp + - name: empty-dir emptyDir: {} {{- if .Values.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} diff --git a/bitnami/memcached/values.yaml b/bitnami/memcached/values.yaml index 2dadd70e9f..c61da0ebfc 100644 --- a/bitnami/memcached/values.yaml +++ b/bitnami/memcached/values.yaml @@ -242,6 +242,7 @@ podSecurityContext: ## @param containerSecurityContext.enabled Enabled containers' Security Context ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged ## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -253,6 +254,7 @@ containerSecurityContext: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -690,6 +692,7 @@ metrics: ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param metrics.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -701,9 +704,10 @@ metrics: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"]