mirror of
https://github.com/bitnami/charts.git
synced 2026-02-10 20:17:22 +08:00
[bitnami/fluent-bit] feat: ✨ Add support for PSA restricted policy (#20438)
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
committed by
GitHub
GitHub
parent
c91aebb2d0
commit
477f4ae3db
@@ -28,4 +28,4 @@ maintainers:
|
||||
name: fluent-bit
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/fluent-bit
|
||||
version: 0.5.5
|
||||
version: 0.6.0
|
||||
|
||||
@@ -91,89 +91,94 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
|
||||
### Fluent Bit daemonset configuration
|
||||
|
||||
| Name | Description | Value |
|
||||
| --------------------------------------------- | ----------------------------------------------------------------------------------------- | ---------------------------- |
|
||||
| `daemonset.enabled` | Use a daemonset instead of a deployment. `replicaCount` will not take effect. | `false` |
|
||||
| `daemonset.podSecurityContext.enabled` | Enable security context for daemonset pods | `true` |
|
||||
| `daemonset.podSecurityContext.runAsUser` | User ID for daemonset containers | `0` |
|
||||
| `daemonset.podSecurityContext.runAsGroup` | Group ID for daemonset containers | `0` |
|
||||
| `daemonset.podSecurityContext.fsGroup` | Group ID for daemonset containers filesystem | `0` |
|
||||
| `daemonset.hostPaths.logs` | Path to the node logs dir | `/var/log` |
|
||||
| `daemonset.hostPaths.containerLogs` | Path to the container logs dir | `/var/lib/docker/containers` |
|
||||
| `daemonset.hostPaths.machineId` | Path to the machine-id file | `/etc/machine-id` |
|
||||
| `hostNetwork` | Enable HOST Network | `false` |
|
||||
| `command` | Command for running the container (set to default if not set). Use array form | `[]` |
|
||||
| `args` | Args for running the container (set to default if not set). Use array form | `[]` |
|
||||
| `lifecycleHooks` | Override default etcd container hooks | `{}` |
|
||||
| `extraEnvVars` | Extra environment variables to be set on fluent-bit container | `[]` |
|
||||
| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` |
|
||||
| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `""` |
|
||||
| `existingConfigMap` | Name of an existing ConfigMap with the Fluent Bit config file | `""` |
|
||||
| `hostAliases` | Deployment pod host aliases | `[]` |
|
||||
| `replicaCount` | Number of Fluent Bit replicas | `1` |
|
||||
| `livenessProbe.enabled` | Enable livenessProbe on nodes | `true` |
|
||||
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` |
|
||||
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
|
||||
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
|
||||
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
|
||||
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
|
||||
| `startupProbe.enabled` | Enable startupProbe on containers | `true` |
|
||||
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` |
|
||||
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
|
||||
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
|
||||
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
|
||||
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
|
||||
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
|
||||
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` |
|
||||
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
|
||||
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
|
||||
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `15` |
|
||||
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
|
||||
| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
||||
| `customStartupProbe` | Override default startup probe | `{}` |
|
||||
| `customReadinessProbe` | Override default readiness probe | `{}` |
|
||||
| `resources.limits` | The resources limits for Fluent Bit containers | `{}` |
|
||||
| `resources.requests` | The requested resources for Fluent Bit containers | `{}` |
|
||||
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for fluent-bit container | `[]` |
|
||||
| `containerPorts.http` | Port for HTTP port | `2020` |
|
||||
| `service.type` | Fluent Bit service type | `ClusterIP` |
|
||||
| `service.ports.http` | Port for HTTP port | `2020` |
|
||||
| `service.nodePorts.http` | Node port for HTTP port | `""` |
|
||||
| `service.extraPorts` | Extra ports to expose in the service (normally used with the `sidecar` value) | `[]` |
|
||||
| `service.loadBalancerIP` | LoadBalancerIP if service type is `LoadBalancer` | `""` |
|
||||
| `service.loadBalancerSourceRanges` | Service Load Balancer sources | `[]` |
|
||||
| `service.clusterIP` | Service Cluster IP | `""` |
|
||||
| `service.externalTrafficPolicy` | Service external traffic policy | `Cluster` |
|
||||
| `service.annotations` | Provide any additional annotations which may be required. | `{}` |
|
||||
| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
|
||||
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
|
||||
| `serviceAccount.create` | Enables ServiceAccount | `true` |
|
||||
| `serviceAccount.name` | ServiceAccount name | `""` |
|
||||
| `serviceAccount.annotations` | Annotations to add to all deployed objects | `{}` |
|
||||
| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account. | `true` |
|
||||
| `podSecurityContext.enabled` | Enabled Fluent Bit pods' Security Context | `true` |
|
||||
| `podSecurityContext.fsGroup` | Set Fluent Bit pod's Security Context fsGroup | `1001` |
|
||||
| `containerSecurityContext.enabled` | Enabled Fluent Bit containers' Security Context | `true` |
|
||||
| `containerSecurityContext.runAsUser` | Set Fluent Bit container's Security Context runAsUser | `1001` |
|
||||
| `containerSecurityContext.runAsNonRoot` | Force the container to be run as non root | `true` |
|
||||
| `podAnnotations` | Additional pod annotations | `{}` |
|
||||
| `podLabels` | Additional pod labels | `{}` |
|
||||
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
|
||||
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` |
|
||||
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` |
|
||||
| `priorityClassName` | Server priorityClassName | `""` |
|
||||
| `affinity` | Affinity for pod assignment | `{}` |
|
||||
| `nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
|
||||
| `schedulerName` | Alternative scheduler | `""` |
|
||||
| `updateStrategy.type` | Fluent Bit deployment strategy type | `RollingUpdate` |
|
||||
| `updateStrategy.rollingUpdate` | Fluent Bit deployment rolling update configuration parameters | `{}` |
|
||||
| `extraVolumes` | Optionally specify extra list of additional volumes for fluent-bit container | `[]` |
|
||||
| `initContainers` | Add additional init containers to the fluent-bit pods | `[]` |
|
||||
| `sidecars` | Add additional sidecar containers to the fluent-bit pods | `[]` |
|
||||
| Name | Description | Value |
|
||||
| --------------------------------------------------- | ----------------------------------------------------------------------------------------- | ---------------------------- |
|
||||
| `daemonset.enabled` | Use a daemonset instead of a deployment. `replicaCount` will not take effect. | `false` |
|
||||
| `daemonset.podSecurityContext.enabled` | Enable security context for daemonset pods | `true` |
|
||||
| `daemonset.podSecurityContext.runAsUser` | User ID for daemonset containers | `0` |
|
||||
| `daemonset.podSecurityContext.runAsGroup` | Group ID for daemonset containers | `0` |
|
||||
| `daemonset.podSecurityContext.fsGroup` | Group ID for daemonset containers filesystem | `0` |
|
||||
| `daemonset.hostPaths.logs` | Path to the node logs dir | `/var/log` |
|
||||
| `daemonset.hostPaths.containerLogs` | Path to the container logs dir | `/var/lib/docker/containers` |
|
||||
| `daemonset.hostPaths.machineId` | Path to the machine-id file | `/etc/machine-id` |
|
||||
| `hostNetwork` | Enable HOST Network | `false` |
|
||||
| `command` | Command for running the container (set to default if not set). Use array form | `[]` |
|
||||
| `args` | Args for running the container (set to default if not set). Use array form | `[]` |
|
||||
| `lifecycleHooks` | Override default etcd container hooks | `{}` |
|
||||
| `extraEnvVars` | Extra environment variables to be set on fluent-bit container | `[]` |
|
||||
| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` |
|
||||
| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `""` |
|
||||
| `existingConfigMap` | Name of an existing ConfigMap with the Fluent Bit config file | `""` |
|
||||
| `hostAliases` | Deployment pod host aliases | `[]` |
|
||||
| `replicaCount` | Number of Fluent Bit replicas | `1` |
|
||||
| `livenessProbe.enabled` | Enable livenessProbe on nodes | `true` |
|
||||
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` |
|
||||
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
|
||||
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
|
||||
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
|
||||
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
|
||||
| `startupProbe.enabled` | Enable startupProbe on containers | `true` |
|
||||
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` |
|
||||
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
|
||||
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
|
||||
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
|
||||
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
|
||||
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
|
||||
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` |
|
||||
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
|
||||
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
|
||||
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `15` |
|
||||
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
|
||||
| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
||||
| `customStartupProbe` | Override default startup probe | `{}` |
|
||||
| `customReadinessProbe` | Override default readiness probe | `{}` |
|
||||
| `resources.limits` | The resources limits for Fluent Bit containers | `{}` |
|
||||
| `resources.requests` | The requested resources for Fluent Bit containers | `{}` |
|
||||
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for fluent-bit container | `[]` |
|
||||
| `containerPorts.http` | Port for HTTP port | `2020` |
|
||||
| `service.type` | Fluent Bit service type | `ClusterIP` |
|
||||
| `service.ports.http` | Port for HTTP port | `2020` |
|
||||
| `service.nodePorts.http` | Node port for HTTP port | `""` |
|
||||
| `service.extraPorts` | Extra ports to expose in the service (normally used with the `sidecar` value) | `[]` |
|
||||
| `service.loadBalancerIP` | LoadBalancerIP if service type is `LoadBalancer` | `""` |
|
||||
| `service.loadBalancerSourceRanges` | Service Load Balancer sources | `[]` |
|
||||
| `service.clusterIP` | Service Cluster IP | `""` |
|
||||
| `service.externalTrafficPolicy` | Service external traffic policy | `Cluster` |
|
||||
| `service.annotations` | Provide any additional annotations which may be required. | `{}` |
|
||||
| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
|
||||
| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
|
||||
| `serviceAccount.create` | Enables ServiceAccount | `true` |
|
||||
| `serviceAccount.name` | ServiceAccount name | `""` |
|
||||
| `serviceAccount.annotations` | Annotations to add to all deployed objects | `{}` |
|
||||
| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account. | `true` |
|
||||
| `podSecurityContext.enabled` | Enabled Fluent Bit pods' Security Context | `true` |
|
||||
| `podSecurityContext.fsGroup` | Set Fluent Bit pod's Security Context fsGroup | `1001` |
|
||||
| `containerSecurityContext.enabled` | Enabled Fluent Bit containers' Security Context | `true` |
|
||||
| `containerSecurityContext.runAsUser` | Set Fluent Bit containers' Security Context runAsUser | `1001` |
|
||||
| `containerSecurityContext.runAsNonRoot` | Set Fluent Bit container's Security Context runAsNonRoot | `true` |
|
||||
| `containerSecurityContext.readOnlyRootFilesystem` | Set Fluent Bit container's Security Context runAsNonRoot | `false` |
|
||||
| `containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` |
|
||||
| `containerSecurityContext.allowPrivilegeEscalation` | Set primary container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| `podAnnotations` | Additional pod annotations | `{}` |
|
||||
| `podLabels` | Additional pod labels | `{}` |
|
||||
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
|
||||
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` |
|
||||
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` |
|
||||
| `priorityClassName` | Server priorityClassName | `""` |
|
||||
| `affinity` | Affinity for pod assignment | `{}` |
|
||||
| `nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `tolerations` | Tolerations for pod assignment | `[]` |
|
||||
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
|
||||
| `schedulerName` | Alternative scheduler | `""` |
|
||||
| `updateStrategy.type` | Fluent Bit deployment strategy type | `RollingUpdate` |
|
||||
| `updateStrategy.rollingUpdate` | Fluent Bit deployment rolling update configuration parameters | `{}` |
|
||||
| `extraVolumes` | Optionally specify extra list of additional volumes for fluent-bit container | `[]` |
|
||||
| `initContainers` | Add additional init containers to the fluent-bit pods | `[]` |
|
||||
| `sidecars` | Add additional sidecar containers to the fluent-bit pods | `[]` |
|
||||
|
||||
### Fluent Bit configuration
|
||||
|
||||
|
||||
@@ -324,13 +324,25 @@ podSecurityContext:
|
||||
## Configure Container Security Context (only main container)
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
||||
## @param containerSecurityContext.enabled Enabled Fluent Bit containers' Security Context
|
||||
## @param containerSecurityContext.runAsUser Set Fluent Bit container's Security Context runAsUser
|
||||
## @param containerSecurityContext.runAsNonRoot Force the container to be run as non root
|
||||
## @param containerSecurityContext.runAsUser Set Fluent Bit containers' Security Context runAsUser
|
||||
## @param containerSecurityContext.runAsNonRoot Set Fluent Bit container's Security Context runAsNonRoot
|
||||
## @param containerSecurityContext.readOnlyRootFilesystem Set Fluent Bit container's Security Context runAsNonRoot
|
||||
## @param containerSecurityContext.privileged Set primary container's Security Context privileged
|
||||
## @param containerSecurityContext.allowPrivilegeEscalation Set primary container's Security Context allowPrivilegeEscalation
|
||||
## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
|
||||
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
runAsUser: 1001
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
## @param podAnnotations Additional pod annotations
|
||||
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
||||
##
|
||||
|
||||
Reference in New Issue
Block a user