Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-02-28 15:37:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/kuberay] feat!: 🔒 💥 Improve security defaults (#24347)

Browse Source 
* [bitnami/kuberay] feat!: 🔒 💥 Improve security defaults

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* docs: 📝 Remove incorrect information from upgrade notes

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-03-12 11:26:18 +01:00
committed by GitHub
parent 03396c6155
commit 5f4fe07ee2
4 changed files with 38 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
bitnami/kuberay/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.18.0
digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280
generated: "2024-03-05T14:30:49.060510596+01:00"
version: 2.19.0
digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc
generated: "2024-03-11T16:41:11.014308289+01:00"

2
bitnami/kuberay/Chart.yaml
View File

@@ -32,4 +32,4 @@ maintainers:
name: kuberay
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/kuberay
version: 0.8.2
version: 1.0.0

39
bitnami/kuberay/README.md
View File

@@ -55,12 +55,12 @@ The command removes all the Kubernetes components associated with the chart and
### Global parameters
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
### Common parameters
@@ -122,7 +122,7 @@ The command removes all the Kubernetes components associated with the chart and
| `operator.watchAllNamespaces` | Watch for KubeRay resources in all namespaces | `true` |
| `operator.watchNamespaces` | Watch for KubeRay resources in the given namespaces | `[]` |
| `operator.enableBatchScheduler` | Enable batch scheduler component | `false` |
| `operator.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if operator.resources is set (operator.resources is recommended for production). | `none` |
| `operator.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if operator.resources is set (operator.resources is recommended for production). | `nano` |
| `operator.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `operator.podSecurityContext.enabled` | Enabled Kuberay Operator pods' Security Context | `true` |
| `operator.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -130,7 +130,7 @@ The command removes all the Kubernetes components associated with the chart and
| `operator.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `operator.podSecurityContext.fsGroup` | Set Kuberay Operator pod's Security Context fsGroup | `1001` |
| `operator.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `operator.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `operator.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `operator.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `operator.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `operator.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
@@ -285,7 +285,7 @@ The command removes all the Kubernetes components associated with the chart and
| `apiserver.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `apiserver.watchAllNamespaces` | Watch for KubeRay resources in all namespaces | `true` |
| `apiserver.watchNamespaces` | Watch for KubeRay resources in the given namespaces | `[]` |
| `apiserver.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if apiserver.resources is set (apiserver.resources is recommended for production). | `none` |
| `apiserver.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if apiserver.resources is set (apiserver.resources is recommended for production). | `nano` |
| `apiserver.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `apiserver.podSecurityContext.enabled` | Enabled Kuberay API Server pods' Security Context | `true` |
| `apiserver.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -293,7 +293,7 @@ The command removes all the Kubernetes components associated with the chart and
| `apiserver.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `apiserver.podSecurityContext.fsGroup` | Set Kuberay API Server pod's Security Context fsGroup | `1001` |
| `apiserver.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `apiserver.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `apiserver.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `apiserver.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `apiserver.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `apiserver.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
@@ -425,7 +425,7 @@ The command removes all the Kubernetes components associated with the chart and
| Name | Description | Value |
| ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------- |
| `cluster.head.rayStartParams` | Set Ray start parameters | `{}` |
| `cluster.head.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if cluster.head.resources is set (cluster.head.resources is recommended for production). | `none` |
| `cluster.head.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if cluster.head.resources is set (cluster.head.resources is recommended for production). | `medium` |
| `cluster.head.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `cluster.head.podSecurityContext.enabled` | Enabled Ray Cluster Worker (common) pods' Security Context | `true` |
| `cluster.head.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -433,7 +433,7 @@ The command removes all the Kubernetes components associated with the chart and
| `cluster.head.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `cluster.head.podSecurityContext.fsGroup` | Set Ray Cluster Worker (common) pod's Security Context fsGroup | `1001` |
| `cluster.head.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `cluster.head.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `cluster.head.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `cluster.head.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `cluster.head.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `cluster.head.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
@@ -481,7 +481,7 @@ The command removes all the Kubernetes components associated with the chart and
| `cluster.worker.common.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `cluster.worker.common.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `cluster.worker.common.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `cluster.worker.common.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if cluster.worker.common.resources is set (cluster.worker.common.resources is recommended for production). | `none` |
| `cluster.worker.common.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if cluster.worker.common.resources is set (cluster.worker.common.resources is recommended for production). | `small` |
| `cluster.worker.common.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `cluster.worker.common.podSecurityContext.enabled` | Enabled Ray Cluster Worker (common) pods' Security Context | `true` |
| `cluster.worker.common.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -489,7 +489,7 @@ The command removes all the Kubernetes components associated with the chart and
| `cluster.worker.common.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `cluster.worker.common.podSecurityContext.fsGroup` | Set Ray Cluster Worker (common) pod's Security Context fsGroup | `1001` |
| `cluster.worker.common.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `cluster.worker.common.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `cluster.worker.common.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `cluster.worker.common.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `cluster.worker.common.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `cluster.worker.common.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
@@ -634,6 +634,17 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues).
## Upgrading
### To 1.0.0
This major bump changes the following security defaults:
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
## License
Copyright &copy; 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.

18
bitnami/kuberay/values.yaml
View File

@@ -27,7 +27,7 @@ global:
openshift:
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
##
adaptSecurityContext: disabled
adaptSecurityContext: auto
## @section Common parameters
##
@@ -213,7 +213,7 @@ operator:
## @param operator.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if operator.resources is set (operator.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param operator.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -254,7 +254,7 @@ operator:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
@@ -862,7 +862,7 @@ apiserver:
## @param apiserver.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if apiserver.resources is set (apiserver.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param apiserver.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -903,7 +903,7 @@ apiserver:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
@@ -1425,7 +1425,7 @@ cluster:
## @param cluster.head.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if cluster.head.resources is set (cluster.head.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "medium"
## @param cluster.head.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -1466,7 +1466,7 @@ cluster:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
@@ -1627,7 +1627,7 @@ cluster:
## @param cluster.worker.common.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if cluster.worker.common.resources is set (cluster.worker.common.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "small"
## @param cluster.worker.common.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -1668,7 +1668,7 @@ cluster:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true