Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-04 14:57:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/kubeapps] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essential security fields (#22143)

Browse Source 
* [bitnami/kubeapps] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essential security fields

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* chore: 🔧 Bump chart version

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-01-17 09:52:19 +01:00
committed by GitHub
parent f7b589aec2
commit 80e22f45b2
3 changed files with 58 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/kubeapps/Chart.yaml
View File

@@ -52,4 +52,4 @@ maintainers:
name: kubeapps
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/kubeapps
version: 14.1.3
version: 14.2.0

19
bitnami/kubeapps/README.md
View File

@@ -133,8 +133,12 @@ Once you have installed Kubeapps follow the [Getting Started Guide](https://gith
| `frontend.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for the NGINX container | `""` |
| `frontend.containerPorts.http` | NGINX HTTP container port | `8080` |
| `frontend.podSecurityContext.enabled` | Enabled frontend pods' Security Context | `true` |
| `frontend.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `frontend.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `frontend.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `frontend.podSecurityContext.fsGroup` | Set frontend pod's Security Context fsGroup | `1001` |
| `frontend.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `frontend.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `frontend.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `frontend.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `frontend.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -226,8 +230,12 @@ Once you have installed Kubeapps follow the [Getting Started Guide](https://gith
| `dashboard.resources.requests.cpu` | The requested CPU for the Dashboard container | `25m` |
| `dashboard.resources.requests.memory` | The requested memory for the Dashboard container | `32Mi` |
| `dashboard.podSecurityContext.enabled` | Enabled Dashboard pods' Security Context | `true` |
| `dashboard.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `dashboard.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `dashboard.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `dashboard.podSecurityContext.fsGroup` | Set Dashboard pod's Security Context fsGroup | `1001` |
| `dashboard.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `dashboard.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `dashboard.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `dashboard.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `dashboard.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -312,8 +320,12 @@ Once you have installed Kubeapps follow the [Getting Started Guide](https://gith
| `apprepository.resources.requests.cpu` | The requested CPU for the AppRepository Controller container | `25m` |
| `apprepository.resources.requests.memory` | The requested memory for the AppRepository Controller container | `32Mi` |
| `apprepository.podSecurityContext.enabled` | Enabled AppRepository Controller pods' Security Context | `true` |
| `apprepository.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `apprepository.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `apprepository.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `apprepository.podSecurityContext.fsGroup` | Set AppRepository Controller pod's Security Context fsGroup | `1001` |
| `apprepository.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `apprepository.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `apprepository.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `apprepository.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `apprepository.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -382,6 +394,7 @@ Once you have installed Kubeapps follow the [Getting Started Guide](https://gith
| `authProxy.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Auth Proxy container(s) | `[]` |
| `authProxy.containerPorts.proxy` | Auth Proxy HTTP container port | `3000` |
| `authProxy.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `authProxy.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `authProxy.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `authProxy.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `authProxy.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -419,6 +432,7 @@ Once you have installed Kubeapps follow the [Getting Started Guide](https://gith
| `pinnipedProxy.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Pinniped Proxy container(s) | `[]` |
| `pinnipedProxy.containerPorts.pinnipedProxy` | Pinniped Proxy container port | `3333` |
| `pinnipedProxy.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `pinnipedProxy.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `pinnipedProxy.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `pinnipedProxy.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `pinnipedProxy.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -503,8 +517,12 @@ Once you have installed Kubeapps follow the [Getting Started Guide](https://gith
| `kubeappsapis.resources.requests.cpu` | The requested CPU for the KubeappsAPIs container | `25m` |
| `kubeappsapis.resources.requests.memory` | The requested memory for the KubeappsAPIs container | `32Mi` |
| `kubeappsapis.podSecurityContext.enabled` | Enabled KubeappsAPIs pods' Security Context | `true` |
| `kubeappsapis.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `kubeappsapis.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `kubeappsapis.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `kubeappsapis.podSecurityContext.fsGroup` | Set KubeappsAPIs pod's Security Context fsGroup | `1001` |
| `kubeappsapis.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `kubeappsapis.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `kubeappsapis.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `kubeappsapis.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `kubeappsapis.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -582,6 +600,7 @@ Once you have installed Kubeapps follow the [Getting Started Guide](https://gith
| `ociCatalog.resources.requests.cpu` | The requested CPU for the OCI Catalog container | `25m` |
| `ociCatalog.resources.requests.memory` | The requested memory for the OCI Catalog container | `32Mi` |
| `ociCatalog.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `ociCatalog.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `ociCatalog.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `ociCatalog.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `ociCatalog.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |

38
bitnami/kubeapps/values.yaml
View File

@@ -287,14 +287,21 @@ frontend:
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param frontend.podSecurityContext.enabled Enabled frontend pods' Security Context
## @param frontend.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param frontend.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param frontend.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param frontend.podSecurityContext.fsGroup Set frontend pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context for NGINX
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param frontend.containerSecurityContext.enabled Enabled containers' Security Context
## @param frontend.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param frontend.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param frontend.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param frontend.containerSecurityContext.privileged Set container's Security Context privileged
@@ -305,6 +312,7 @@ frontend:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -650,14 +658,21 @@ dashboard:
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param dashboard.podSecurityContext.enabled Enabled Dashboard pods' Security Context
## @param dashboard.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param dashboard.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param dashboard.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param dashboard.podSecurityContext.fsGroup Set Dashboard pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context for Dashboard
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param dashboard.containerSecurityContext.enabled Enabled containers' Security Context
## @param dashboard.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param dashboard.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param dashboard.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param dashboard.containerSecurityContext.privileged Set container's Security Context privileged
@@ -668,6 +683,7 @@ dashboard:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -1009,14 +1025,21 @@ apprepository:
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param apprepository.podSecurityContext.enabled Enabled AppRepository Controller pods' Security Context
## @param apprepository.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param apprepository.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param apprepository.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param apprepository.podSecurityContext.fsGroup Set AppRepository Controller pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context for App Repository jobs
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param apprepository.containerSecurityContext.enabled Enabled containers' Security Context
## @param apprepository.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param apprepository.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param apprepository.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param apprepository.containerSecurityContext.privileged Set container's Security Context privileged
@@ -1027,6 +1050,7 @@ apprepository:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -1277,6 +1301,7 @@ authProxy:
## Configure Container Security Context for Auth Proxy
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param authProxy.containerSecurityContext.enabled Enabled containers' Security Context
## @param authProxy.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param authProxy.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param authProxy.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param authProxy.containerSecurityContext.privileged Set container's Security Context privileged
@@ -1287,6 +1312,7 @@ authProxy:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -1401,6 +1427,7 @@ pinnipedProxy:
## Configure Container Security Context for Pinniped Proxy
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param pinnipedProxy.containerSecurityContext.enabled Enabled containers' Security Context
## @param pinnipedProxy.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param pinnipedProxy.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param pinnipedProxy.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param pinnipedProxy.containerSecurityContext.privileged Set container's Security Context privileged
@@ -1411,6 +1438,7 @@ pinnipedProxy:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -1712,14 +1740,21 @@ kubeappsapis:
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param kubeappsapis.podSecurityContext.enabled Enabled KubeappsAPIs pods' Security Context
## @param kubeappsapis.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param kubeappsapis.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param kubeappsapis.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param kubeappsapis.podSecurityContext.fsGroup Set KubeappsAPIs pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context for Kubeapps APIs
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param kubeappsapis.containerSecurityContext.enabled Enabled containers' Security Context
## @param kubeappsapis.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param kubeappsapis.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param kubeappsapis.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param kubeappsapis.containerSecurityContext.privileged Set container's Security Context privileged
@@ -1730,6 +1765,7 @@ kubeappsapis:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -1988,6 +2024,7 @@ ociCatalog:
## Configure Container Security Context (only main container)
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param ociCatalog.containerSecurityContext.enabled Enabled containers' Security Context
## @param ociCatalog.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param ociCatalog.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param ociCatalog.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param ociCatalog.containerSecurityContext.privileged Set container's Security Context privileged
@@ -1998,6 +2035,7 @@ ociCatalog:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false