mirror of
https://github.com/bitnami/charts.git
synced 2026-03-14 06:47:28 +08:00
[bitnami/parse] feat!: 🔒 💥 Improve security defaults (#24507)
* [bitnami/parse] feat!: 🔒 💥 Improve security defaults Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * fix: ⏪ Revert tempo change Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * docs: 📝 Add missing metadata Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
committed by
GitHub
GitHub
parent
9a0fece43c
commit
4baa241ef6
@@ -127,12 +127,12 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
|
||||
|
||||
### Global parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
|
||||
| `global.imageRegistry` | Global Docker image registry | `""` |
|
||||
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
|
||||
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
|
||||
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
|
||||
| Name | Description | Value |
|
||||
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
|
||||
| `global.imageRegistry` | Global Docker image registry | `""` |
|
||||
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
|
||||
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
|
||||
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
|
||||
|
||||
### Common Parameters
|
||||
|
||||
@@ -163,17 +163,19 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
|
||||
| `server.hostAliases` | Deployment pod host aliases | `[]` |
|
||||
| `server.podLabels` | Extra labels for Parse pods | `{}` |
|
||||
| `server.podAnnotations` | Annotations for Parse pods | `{}` |
|
||||
| `server.forceOverwriteConfFile` | Overwrite config.json configuration file on each run (set to false if mounting a custom configuration file) | `true` |
|
||||
| `server.podSecurityContext.enabled` | Enabled Parse Dashboard pods' Security Context | `true` |
|
||||
| `server.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
| `server.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
|
||||
| `server.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `server.podSecurityContext.fsGroup` | Set Parse Dashboard pod's Security Context fsGroup | `1001` |
|
||||
| `server.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `server.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `server.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `server.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `server.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
|
||||
| `server.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `server.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `server.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `server.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
|
||||
| `server.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `server.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `server.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
@@ -193,7 +195,7 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
|
||||
| `server.enableCloudCode` | Enable Parse Cloud Code | `false` |
|
||||
| `server.cloudCodeScripts` | Cloud Code scripts | `{}` |
|
||||
| `server.existingCloudCodeScriptsCM` | ConfigMap with Cloud Code scripts (Note: Overrides `cloudCodeScripts`). | `""` |
|
||||
| `server.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if server.resources is set (server.resources is recommended for production). | `none` |
|
||||
| `server.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if server.resources is set (server.resources is recommended for production). | `nano` |
|
||||
| `server.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `server.livenessProbe.enabled` | Enable livenessProbe | `true` |
|
||||
| `server.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` |
|
||||
@@ -270,11 +272,12 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
|
||||
| `dashboard.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `dashboard.podSecurityContext.fsGroup` | Set Parse Dashboard pod's Security Context fsGroup | `1001` |
|
||||
| `dashboard.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
|
||||
| `dashboard.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `dashboard.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `dashboard.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
|
||||
| `dashboard.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
|
||||
| `dashboard.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
|
||||
| `dashboard.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
|
||||
| `dashboard.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `dashboard.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
|
||||
| `dashboard.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `dashboard.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `dashboard.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
@@ -283,7 +286,7 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
|
||||
| `dashboard.username` | Parse Dashboard application username | `user` |
|
||||
| `dashboard.password` | Parse Dashboard application password | `""` |
|
||||
| `dashboard.appName` | Parse Dashboard application name | `MyDashboard` |
|
||||
| `dashboard.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if dashboard.resources is set (dashboard.resources is recommended for production). | `none` |
|
||||
| `dashboard.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if dashboard.resources is set (dashboard.resources is recommended for production). | `nano` |
|
||||
| `dashboard.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `dashboard.livenessProbe.enabled` | Enable livenessProbe | `true` |
|
||||
| `dashboard.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `240` |
|
||||
@@ -330,6 +333,7 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
|
||||
| `dashboard.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Parse container(s) | `[]` |
|
||||
| `dashboard.sidecars` | Add additional sidecar containers to the Parse pod(s) | `[]` |
|
||||
| `dashboard.initContainers` | Add additional init containers to the Parse pod(s) | `[]` |
|
||||
| `dashboard.forceOverwriteConfFile` | Overwrite config.json configuration file on each run (set to false if mounting a custom configuration file) | `true` |
|
||||
| `dashboard.service.type` | Kubernetes Service type | `LoadBalancer` |
|
||||
| `dashboard.service.ports.http` | Service HTTP port (Dashboard) | `80` |
|
||||
| `dashboard.service.nodePorts.http` | Kubernetes HTTP node port | `""` |
|
||||
@@ -404,18 +408,20 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
|
||||
|
||||
### MongoDB® Parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ---------------------------------- | ------------------------------------------- | --------------- |
|
||||
| `mongodb.enabled` | Enable MongoDB® chart | `true` |
|
||||
| `mongodb.auth.enabled` | Enable MongoDB® password authentication | `true` |
|
||||
| `mongodb.auth.rootPassword` | MongoDB® admin password | `""` |
|
||||
| `mongodb.auth.username` | MongoDB® user | `bn_parse` |
|
||||
| `mongodb.auth.password` | MongoDB® user password | `""` |
|
||||
| `mongodb.auth.database` | MongoDB® database | `bitnami_parse` |
|
||||
| `mongodb.persistence.enabled` | Enable MongoDB® persistence using PVC | `true` |
|
||||
| `mongodb.persistence.storageClass` | PVC Storage Class for MongoDB® volume | `""` |
|
||||
| `mongodb.persistence.accessMode` | PVC Access Mode for MongoDB® volume | `ReadWriteOnce` |
|
||||
| `mongodb.persistence.size` | PVC Storage Request for MongoDB® volume | `8Gi` |
|
||||
| Name | Description | Value |
|
||||
| ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- |
|
||||
| `mongodb.enabled` | Enable MongoDB® chart | `true` |
|
||||
| `mongodb.auth.enabled` | Enable MongoDB® password authentication | `true` |
|
||||
| `mongodb.auth.rootPassword` | MongoDB® admin password | `""` |
|
||||
| `mongodb.auth.username` | MongoDB® user | `bn_parse` |
|
||||
| `mongodb.auth.password` | MongoDB® user password | `""` |
|
||||
| `mongodb.auth.database` | MongoDB® database | `bitnami_parse` |
|
||||
| `mongodb.persistence.enabled` | Enable MongoDB® persistence using PVC | `true` |
|
||||
| `mongodb.persistence.storageClass` | PVC Storage Class for MongoDB® volume | `""` |
|
||||
| `mongodb.persistence.accessMode` | PVC Access Mode for MongoDB® volume | `ReadWriteOnce` |
|
||||
| `mongodb.persistence.size` | PVC Storage Request for MongoDB® volume | `8Gi` |
|
||||
| `mongodb.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` |
|
||||
| `mongodb.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
|
||||
> **Note**:
|
||||
>
|
||||
@@ -460,6 +466,17 @@ Find more information about how to deal with common errors related to Bitnami's
|
||||
|
||||
## Upgrading
|
||||
|
||||
### To 22.0.0
|
||||
|
||||
This major bump changes the following security defaults:
|
||||
|
||||
- `runAsGroup` is changed from `0` to `1001`
|
||||
- `readOnlyRootFilesystem` is set to `true`
|
||||
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
|
||||
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
|
||||
|
||||
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
|
||||
|
||||
### To 21.0.0
|
||||
|
||||
This major updates the MongoDB® subchart to its newest major, [14.0.0](https://github.com/bitnami/charts/tree/main/bitnami/mongodb#to-1400). No major issues are expected during the upgrade.
|
||||
|
||||
Reference in New Issue
Block a user