From 68ea75458a4ee8c0059b2b2c62500e6adadcbdbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Tue, 24 Oct 2023 14:29:07 +0200 Subject: [PATCH] [bitnami/mariadb] feat: :sparkles: Add support for PSA restricted policy (#20360) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [bitnami/mariadb] feat: :sparkles: Add support for PSA restricted policy Signed-off-by: Javier Salmeron Garcia * test: :white_check_mark: Bump timeouts Signed-off-by: Javier Salmeron Garcia * test: :white_check_mark: Decrease timeouts Signed-off-by: Javier Salmeron Garcia * chore: :wrench: Move seccompProfile to containerSecurityContext Signed-off-by: Javier Salmeron Garcia * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * chore: :wrench: Move seccompprofile Signed-off-by: Javier Salmeron Garcia * Update bitnami/mariadb/values.yaml Co-authored-by: Fran Mulero Signed-off-by: Javier J. Salmerón-García * Update bitnami/mariadb/values.yaml Co-authored-by: Fran Mulero Signed-off-by: Javier J. Salmerón-García * Update bitnami/mariadb/values.yaml Co-authored-by: Fran Mulero Signed-off-by: Javier J. Salmerón-García * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * chore: :rewind: Revert values.schema.json Signed-off-by: Javier Salmeron Garcia * chore: :truck: Move seccompProfile to containerSecurityContext Signed-off-by: Javier Salmeron Garcia * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * fix: :bug: Add missing seccompProfile to metrics Signed-off-by: Javier Salmeron Garcia * chore: :wrench: Fix metadata Signed-off-by: Javier Salmeron Garcia --------- Signed-off-by: Javier Salmeron Garcia Signed-off-by: Bitnami Containers Signed-off-by: Javier J. Salmerón-García Co-authored-by: Bitnami Containers Co-authored-by: Fran Mulero --- bitnami/mariadb/Chart.yaml | 2 +- bitnami/mariadb/README.md | 8 ++++++++ bitnami/mariadb/values.yaml | 22 ++++++++++++++++++++++ 3 files changed, 31 insertions(+), 1 deletion(-) diff --git a/bitnami/mariadb/Chart.yaml b/bitnami/mariadb/Chart.yaml index 93a618a5cc..7bb02d7cfe 100644 --- a/bitnami/mariadb/Chart.yaml +++ b/bitnami/mariadb/Chart.yaml @@ -34,4 +34,4 @@ maintainers: name: mariadb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mariadb -version: 14.0.3 +version: 14.1.0 diff --git a/bitnami/mariadb/README.md b/bitnami/mariadb/README.md index fc325cfa2b..8574fcccc3 100644 --- a/bitnami/mariadb/README.md +++ b/bitnami/mariadb/README.md @@ -143,6 +143,8 @@ The command removes all the Kubernetes components associated with the chart and | `primary.containerSecurityContext.runAsNonRoot` | Set primary container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` | | `primary.containerSecurityContext.allowPrivilegeEscalation` | Set primary container's Security Context allowPrivilegeEscalation | `false` | +| `primary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `primary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `primary.resources.limits` | The resources limits for MariaDB primary containers | `{}` | | `primary.resources.requests` | The requested resources for MariaDB primary containers | `{}` | | `primary.startupProbe.enabled` | Enable startupProbe | `false` | @@ -237,6 +239,8 @@ The command removes all the Kubernetes components associated with the chart and | `secondary.containerSecurityContext.runAsNonRoot` | Set secondary container's Security Context runAsNonRoot | `true` | | `secondary.containerSecurityContext.privileged` | Set secondary container's Security Context privileged | `false` | | `secondary.containerSecurityContext.allowPrivilegeEscalation` | Set secondary container's Security Context allowPrivilegeEscalation | `false` | +| `secondary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `secondary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `secondary.resources.limits` | The resources limits for MariaDB secondary containers | `{}` | | `secondary.resources.requests` | The requested resources for MariaDB secondary containers | `{}` | | `secondary.startupProbe.enabled` | Enable startupProbe | `false` | @@ -331,8 +335,12 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.extraArgs` | Extra args to be passed to mysqld_exporter | `{}` | | `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB metrics container(s) | `{}` | | `metrics.containerSecurityContext.enabled` | Enable security context for MariaDB metrics container | `false` | +| `metrics.containerSecurityContext.runAsUser` | User ID for the MariaDB metrics container | `1001` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set metrics container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` | | `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set metrics container's Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `metrics.resources.limits` | The resources limits for MariaDB prometheus exporter containers | `{}` | | `metrics.resources.requests` | The requested resources for MariaDB prometheus exporter containers | `{}` | | `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | diff --git a/bitnami/mariadb/values.yaml b/bitnami/mariadb/values.yaml index 29f44fe499..779a8456d9 100644 --- a/bitnami/mariadb/values.yaml +++ b/bitnami/mariadb/values.yaml @@ -325,6 +325,8 @@ primary: ## @param primary.containerSecurityContext.runAsNonRoot Set primary container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.privileged Set primary container's Security Context privileged ## @param primary.containerSecurityContext.allowPrivilegeEscalation Set primary container's Security Context allowPrivilegeEscalation + ## @param primary.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param primary.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: enabled: true @@ -332,6 +334,10 @@ primary: runAsNonRoot: true privileged: false allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## MariaDB primary container's resource requests and limits ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ ## We usually recommend not to specify default resources and to leave this as a conscious @@ -721,6 +727,8 @@ secondary: ## @param secondary.containerSecurityContext.runAsNonRoot Set secondary container's Security Context runAsNonRoot ## @param secondary.containerSecurityContext.privileged Set secondary container's Security Context privileged ## @param secondary.containerSecurityContext.allowPrivilegeEscalation Set secondary container's Security Context allowPrivilegeEscalation + ## @param secondary.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param secondary.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: enabled: true @@ -728,6 +736,10 @@ secondary: runAsNonRoot: true privileged: false allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## MariaDB secondary container's resource requests and limits ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ ## We usually recommend not to specify default resources and to leave this as a conscious @@ -1104,8 +1116,12 @@ metrics: ## MariaDB metrics container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enable security context for MariaDB metrics container + ## @param metrics.containerSecurityContext.runAsUser User ID for the MariaDB metrics container + ## @param metrics.containerSecurityContext.runAsNonRoot Set metrics container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set metrics container's Security Context privileged ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set metrics container's Security Context allowPrivilegeEscalation + ## @param metrics.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param metrics.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## Example: ## containerSecurityContext: ## enabled: true @@ -1116,7 +1132,13 @@ metrics: containerSecurityContext: enabled: false privileged: false + runAsNonRoot: true + runAsUser: 1001 allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## Mysqld Prometheus exporter resource requests and limits ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ ## We usually recommend not to specify default resources and to leave this as a conscious