mirror of
https://github.com/bitnami/charts.git
synced 2026-03-15 14:57:16 +08:00
[bitnami/external-dns] feat!: 🔒 💥 Improve security defaults (#24325)
* [bitnami/external-dns] feat!: 🔒 💥 Improve security defaults Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * fix: 🐛 Set seLinuxOptions to {} Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * fix: 🐛 Add missing /tmp dir Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * fix: 🐛 Set correct mountPath field name Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> Signed-off-by: Alejandro Moreno <amorenoc@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com> Co-authored-by: Alejandro Moreno <amorenoc@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
committed by
GitHub
GitHub
parent
abed681d9e
commit
47d68cc5ce
@@ -1,6 +1,6 @@
|
||||
dependencies:
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 2.18.0
|
||||
digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280
|
||||
generated: "2024-03-05T13:47:20.072085636+01:00"
|
||||
version: 2.19.0
|
||||
digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc
|
||||
generated: "2024-03-11T11:31:57.424102668+01:00"
|
||||
|
||||
@@ -28,4 +28,4 @@ maintainers:
|
||||
name: external-dns
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/external-dns
|
||||
version: 6.38.0
|
||||
version: 7.0.0
|
||||
|
||||
@@ -99,11 +99,11 @@ helm install my-release \
|
||||
|
||||
### Global parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
|
||||
| `global.imageRegistry` | Global Docker image registry | `""` |
|
||||
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
|
||||
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
|
||||
| Name | Description | Value |
|
||||
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
|
||||
| `global.imageRegistry` | Global Docker image registry | `""` |
|
||||
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
|
||||
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
|
||||
|
||||
### Common parameters
|
||||
|
||||
@@ -370,21 +370,21 @@ helm install my-release \
|
||||
| `rbac.apiVersion` | Version of the RBAC API | `v1` |
|
||||
| `rbac.pspEnabled` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
|
||||
| `containerSecurityContext.enabled` | Enabled Apache Server containers' Security Context | `true` |
|
||||
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `containerSecurityContext.runAsUser` | Set ExternalDNS containers' Security Context runAsUser | `1001` |
|
||||
| `containerSecurityContext.runAsGroup` | Set ExternalDNS containers' Security Context runAsGroup | `0` |
|
||||
| `containerSecurityContext.runAsGroup` | Set ExternalDNS containers' Security Context runAsGroup | `1001` |
|
||||
| `containerSecurityContext.runAsNonRoot` | Set ExternalDNS container's Security Context runAsNonRoot | `true` |
|
||||
| `containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` |
|
||||
| `containerSecurityContext.allowPrivilegeEscalation` | Set primary container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `containerSecurityContext.readOnlyRootFilesystem` | Set container readonlyRootFilesystem | `false` |
|
||||
| `containerSecurityContext.readOnlyRootFilesystem` | Set container readonlyRootFilesystem | `true` |
|
||||
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| `podSecurityContext.enabled` | Enable pod security context | `true` |
|
||||
| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
|
||||
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `podSecurityContext.fsGroup` | Group ID for the container | `1001` |
|
||||
| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` |
|
||||
| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano` |
|
||||
| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
|
||||
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` |
|
||||
@@ -451,6 +451,17 @@ Find more information about how to deal with common errors related to Bitnami's
|
||||
|
||||
## Upgrading
|
||||
|
||||
### To 7.0.0
|
||||
|
||||
This major bump changes the following security defaults:
|
||||
|
||||
- `runAsGroup` is changed from `0` to `1001`
|
||||
- `readOnlyRootFilesystem` is set to `true`
|
||||
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
|
||||
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
|
||||
|
||||
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
|
||||
|
||||
### To 6.0.0
|
||||
|
||||
Some of the chart values were changed to adapt to the latest Bitnami standards. More specifically:
|
||||
|
||||
@@ -11,13 +11,13 @@ kind: Deployment
|
||||
{{- end }}
|
||||
metadata:
|
||||
name: {{ template "external-dns.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{ if not .Values.useDaemonset -}}
|
||||
{{- if not .Values.useDaemonset }}
|
||||
replicas: {{ coalesce .Values.replicas .Values.replicaCount }}
|
||||
{{- end }}
|
||||
{{- if .Values.updateStrategy }}
|
||||
@@ -745,6 +745,9 @@ spec:
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: empty-dir
|
||||
mountPath: /tmp
|
||||
subPath: tmp-dir
|
||||
{{- if and (eq .Values.provider "alibabacloud") (or (and .Values.alibabacloud.accessKeyId .Values.alibabacloud.accessKeySecret) .Values.alibabacloud.secretName) }}
|
||||
# Alibaba Cloud mountPath(s)
|
||||
- name: alibabacloud-config-file
|
||||
@@ -815,6 +818,8 @@ spec:
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: empty-dir
|
||||
emptyDir: {}
|
||||
{{- if and (eq .Values.provider "alibabacloud") (or (and .Values.alibabacloud.accessKeyId .Values.alibabacloud.accessKeySecret) .Values.alibabacloud.secretName) }}
|
||||
# Alibaba Cloud volume(s)
|
||||
- name: alibabacloud-config-file
|
||||
|
||||
@@ -18,7 +18,6 @@ spec:
|
||||
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
|
||||
app.kubernetes.io/component: controller
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
|
||||
@@ -25,7 +25,7 @@ global:
|
||||
openshift:
|
||||
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
|
||||
##
|
||||
adaptSecurityContext: disabled
|
||||
adaptSecurityContext: auto
|
||||
## @section Common parameters
|
||||
##
|
||||
|
||||
@@ -1082,13 +1082,13 @@ rbac:
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
seLinuxOptions: {}
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsGroup: 1001
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
seccompProfile:
|
||||
@@ -1114,7 +1114,7 @@ podSecurityContext:
|
||||
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "none"
|
||||
resourcesPreset: "nano"
|
||||
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
|
||||
Reference in New Issue
Block a user