From 6925aa1591a2cd364d1704860a86a6f0315b3723 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Tue, 27 Feb 2024 11:58:45 +0100 Subject: [PATCH] [bitnami/harbor] feat: :sparkles: :lock: Add readOnlyRootFilesystem support (#23914) * [bitnami/harbor] feat: :sparkles: :lock: Add readOnlyRootFilesystem support Signed-off-by: Javier Salmeron Garcia * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers --------- Signed-off-by: Javier Salmeron Garcia Signed-off-by: Bitnami Containers Co-authored-by: Bitnami Containers --- bitnami/harbor/Chart.yaml | 2 +- bitnami/harbor/README.md | 8 ++++++++ bitnami/harbor/templates/core/core-dpl.yaml | 5 +++++ .../harbor/templates/exporter/exporter-dpl.yaml | 5 +++++ .../templates/jobservice/jobservice-dpl.yaml | 8 ++++++++ bitnami/harbor/templates/nginx/deployment.yaml | 11 +++++++++++ bitnami/harbor/templates/portal/portal-dpl.yaml | 5 +++++ .../harbor/templates/registry/registry-dpl.yaml | 11 +++++++++++ bitnami/harbor/templates/trivy/trivy-sts.yaml | 8 ++++++++ bitnami/harbor/values.yaml | 16 ++++++++++++++++ 10 files changed, 78 insertions(+), 1 deletion(-) diff --git a/bitnami/harbor/Chart.yaml b/bitnami/harbor/Chart.yaml index 0acb41e3c4..a3ab487bd7 100644 --- a/bitnami/harbor/Chart.yaml +++ b/bitnami/harbor/Chart.yaml @@ -55,4 +55,4 @@ maintainers: name: harbor sources: - https://github.com/bitnami/charts/tree/main/bitnami/harbor -version: 19.8.2 +version: 19.9.0 diff --git a/bitnami/harbor/README.md b/bitnami/harbor/README.md index a416cdb8ed..937ac289bc 100644 --- a/bitnami/harbor/README.md +++ b/bitnami/harbor/README.md @@ -308,6 +308,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `nginx.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `nginx.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `nginx.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `nginx.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `nginx.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `nginx.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `nginx.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -394,6 +395,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `portal.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `portal.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `portal.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `portal.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `portal.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `portal.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `portal.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -495,6 +497,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `core.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `core.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `core.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `core.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `core.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `core.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `core.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -590,6 +593,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `jobservice.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `jobservice.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `jobservice.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `jobservice.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `jobservice.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `jobservice.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `jobservice.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -721,6 +725,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `registry.server.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `registry.server.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `registry.server.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `registry.server.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `registry.server.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `registry.server.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `registry.server.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -771,6 +776,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `registry.controller.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `registry.controller.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `registry.controller.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `registry.controller.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `registry.controller.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `registry.controller.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `registry.controller.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -841,6 +847,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `trivy.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `trivy.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `trivy.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `trivy.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `trivy.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `trivy.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `trivy.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | @@ -927,6 +934,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua | `exporter.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `exporter.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `exporter.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `exporter.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | | `exporter.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `exporter.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `exporter.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | diff --git a/bitnami/harbor/templates/core/core-dpl.yaml b/bitnami/harbor/templates/core/core-dpl.yaml index 809ebdef54..17e45c3ca5 100644 --- a/bitnami/harbor/templates/core/core-dpl.yaml +++ b/bitnami/harbor/templates/core/core-dpl.yaml @@ -202,6 +202,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.core.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: config mountPath: /etc/core/app.conf subPath: app.conf @@ -236,6 +239,8 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.core.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} - name: config configMap: name: {{ include "harbor.core" . }} diff --git a/bitnami/harbor/templates/exporter/exporter-dpl.yaml b/bitnami/harbor/templates/exporter/exporter-dpl.yaml index a74a483e54..f1bafa2728 100644 --- a/bitnami/harbor/templates/exporter/exporter-dpl.yaml +++ b/bitnami/harbor/templates/exporter/exporter-dpl.yaml @@ -168,6 +168,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.exporter.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.internalTLS.enabled }} - name: internal-tls-certs mountPath: /etc/harbor/ssl/exporter @@ -182,6 +185,8 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.exporter.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if .Values.internalTLS.enabled }} - name: internal-tls-certs secret: diff --git a/bitnami/harbor/templates/jobservice/jobservice-dpl.yaml b/bitnami/harbor/templates/jobservice/jobservice-dpl.yaml index c93c3463db..5b55cb71f7 100644 --- a/bitnami/harbor/templates/jobservice/jobservice-dpl.yaml +++ b/bitnami/harbor/templates/jobservice/jobservice-dpl.yaml @@ -97,6 +97,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: job-logs mountPath: /var/log/jobs subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.subPath }} @@ -215,6 +218,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.jobservice.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: jobservice-config mountPath: /etc/jobservice/config.yml subPath: config.yml @@ -235,6 +241,8 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.jobservice.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} - name: jobservice-config secret: secretName: {{ include "harbor.jobservice" . }}-config diff --git a/bitnami/harbor/templates/nginx/deployment.yaml b/bitnami/harbor/templates/nginx/deployment.yaml index 8deeae7b68..cbd9740708 100644 --- a/bitnami/harbor/templates/nginx/deployment.yaml +++ b/bitnami/harbor/templates/nginx/deployment.yaml @@ -152,6 +152,15 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.nginx.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/nginx/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/nginx/tmp + subPath: app-tmp-dir - name: config mountPath: /opt/bitnami/nginx/conf/nginx.conf subPath: nginx.conf @@ -166,6 +175,8 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.nginx.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} - name: config configMap: name: {{ include "harbor.nginx" . }} diff --git a/bitnami/harbor/templates/portal/portal-dpl.yaml b/bitnami/harbor/templates/portal/portal-dpl.yaml index ed3877f11b..a3ac33a2ac 100644 --- a/bitnami/harbor/templates/portal/portal-dpl.yaml +++ b/bitnami/harbor/templates/portal/portal-dpl.yaml @@ -144,6 +144,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.portal.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: portal-config mountPath: /opt/bitnami/nginx/conf/nginx.conf subPath: nginx.conf @@ -158,6 +161,8 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.portal.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} - name: portal-config configMap: name: {{ include "harbor.portal" . }} diff --git a/bitnami/harbor/templates/registry/registry-dpl.yaml b/bitnami/harbor/templates/registry/registry-dpl.yaml index 248e9994ac..d7f581d48b 100644 --- a/bitnami/harbor/templates/registry/registry-dpl.yaml +++ b/bitnami/harbor/templates/registry/registry-dpl.yaml @@ -95,6 +95,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: registry-data mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} @@ -195,6 +198,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.registry.server.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: registry-data mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} @@ -348,6 +354,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.registry.controller.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: registry-data mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} @@ -383,6 +392,8 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.registry.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} - name: registry-htpasswd secret: {{- if .Values.registry.existingSecret }} diff --git a/bitnami/harbor/templates/trivy/trivy-sts.yaml b/bitnami/harbor/templates/trivy/trivy-sts.yaml index bf6139fc91..3daec30be7 100644 --- a/bitnami/harbor/templates/trivy/trivy-sts.yaml +++ b/bitnami/harbor/templates/trivy/trivy-sts.yaml @@ -93,6 +93,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: data mountPath: {{ .Values.trivy.cacheDir }} {{- end }} @@ -174,6 +177,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.trivy.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: data mountPath: {{ .Values.trivy.cacheDir }} readOnly: false @@ -191,6 +197,8 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.trivy.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if .Values.internalTLS.enabled }} - name: internal-tls-certs secret: diff --git a/bitnami/harbor/values.yaml b/bitnami/harbor/values.yaml index 338f661024..f0a51de0f5 100644 --- a/bitnami/harbor/values.yaml +++ b/bitnami/harbor/values.yaml @@ -796,6 +796,7 @@ nginx: ## @param nginx.containerSecurityContext.enabled Enabled containers' Security Context ## @param nginx.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param nginx.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param nginx.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param nginx.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param nginx.containerSecurityContext.privileged Set container's Security Context privileged ## @param nginx.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -807,6 +808,7 @@ nginx: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -1133,6 +1135,7 @@ portal: ## @param portal.containerSecurityContext.enabled Enabled containers' Security Context ## @param portal.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param portal.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param portal.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param portal.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param portal.containerSecurityContext.privileged Set container's Security Context privileged ## @param portal.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -1144,6 +1147,7 @@ portal: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -1536,6 +1540,7 @@ core: ## @param core.containerSecurityContext.enabled Enabled containers' Security Context ## @param core.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param core.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param core.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param core.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param core.containerSecurityContext.privileged Set container's Security Context privileged ## @param core.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -1547,6 +1552,7 @@ core: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -1904,6 +1910,7 @@ jobservice: ## @param jobservice.containerSecurityContext.enabled Enabled containers' Security Context ## @param jobservice.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param jobservice.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param jobservice.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param jobservice.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param jobservice.containerSecurityContext.privileged Set container's Security Context privileged ## @param jobservice.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -1915,6 +1922,7 @@ jobservice: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -2467,6 +2475,7 @@ registry: ## @param registry.server.containerSecurityContext.enabled Enabled containers' Security Context ## @param registry.server.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param registry.server.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param registry.server.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param registry.server.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param registry.server.containerSecurityContext.privileged Set container's Security Context privileged ## @param registry.server.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -2478,6 +2487,7 @@ registry: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -2633,6 +2643,7 @@ registry: ## @param registry.controller.containerSecurityContext.enabled Enabled containers' Security Context ## @param registry.controller.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param registry.controller.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param registry.controller.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param registry.controller.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param registry.controller.containerSecurityContext.privileged Set container's Security Context privileged ## @param registry.controller.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -2644,6 +2655,7 @@ registry: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -2866,6 +2878,7 @@ trivy: ## @param trivy.containerSecurityContext.enabled Enabled containers' Security Context ## @param trivy.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param trivy.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param trivy.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param trivy.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param trivy.containerSecurityContext.privileged Set container's Security Context privileged ## @param trivy.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -2877,6 +2890,7 @@ trivy: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false @@ -3206,6 +3220,7 @@ exporter: ## @param exporter.containerSecurityContext.enabled Enabled containers' Security Context ## @param exporter.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param exporter.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param exporter.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param exporter.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param exporter.containerSecurityContext.privileged Set container's Security Context privileged ## @param exporter.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -3217,6 +3232,7 @@ exporter: enabled: true seLinuxOptions: null runAsUser: 1001 + runAsGroup: 0 runAsNonRoot: true privileged: false readOnlyRootFilesystem: false