Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-14 14:57:22 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/postgresql-ha] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essential security fields (#22178)

Browse Source 
* [bitnami/postgresql-ha] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essential security fields

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* chore: 🔧 Bump chart version

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-01-16 15:45:54 +01:00
committed by GitHub
parent 3f6468e043
commit 9ab0750fc6
3 changed files with 55 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/postgresql-ha/Chart.yaml
View File

@@ -40,4 +40,4 @@ maintainers:
name: postgresql-ha
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/postgresql-ha
version: 12.5.1
version: 12.6.0

18
bitnami/postgresql-ha/README.md
View File

@@ -123,8 +123,12 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua
| `postgresql.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
| `postgresql.terminationGracePeriodSeconds` | Seconds PostgreSQL pod needs to terminate gracefully | `""` |
| `postgresql.podSecurityContext.enabled` | Enable security context for PostgreSQL with Repmgr | `true` |
| `postgresql.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `postgresql.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `postgresql.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `postgresql.podSecurityContext.fsGroup` | Group ID for the PostgreSQL with Repmgr filesystem | `1001` |
| `postgresql.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `postgresql.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `postgresql.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `postgresql.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `postgresql.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -249,8 +253,12 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua
| `witness.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
| `witness.terminationGracePeriodSeconds` | Seconds PostgreSQL witness pod needs to terminate gracefully | `""` |
| `witness.podSecurityContext.enabled` | Enable security context for PostgreSQL witness with Repmgr | `true` |
| `witness.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `witness.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `witness.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `witness.podSecurityContext.fsGroup` | Group ID for the PostgreSQL witness with Repmgr filesystem | `1001` |
| `witness.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `witness.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `witness.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `witness.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `witness.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -375,8 +383,12 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua
| `pgpool.nodeSelector` | Node labels for Pgpool pods assignment | `{}` |
| `pgpool.tolerations` | Tolerations for Pgpool pods assignment | `[]` |
| `pgpool.podSecurityContext.enabled` | Enable security context for Pgpool | `true` |
| `pgpool.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `pgpool.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `pgpool.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `pgpool.podSecurityContext.fsGroup` | Group ID for the Pgpool filesystem | `1001` |
| `pgpool.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `pgpool.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `pgpool.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `pgpool.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `pgpool.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
@@ -480,6 +492,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua
| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `metrics.image.debug` | Specify if debug logs should be enabled | `false` |
| `metrics.podSecurityContext.enabled` | Enable security context for PostgreSQL Prometheus exporter | `true` |
| `metrics.podSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `metrics.podSecurityContext.runAsUser` | User ID for the PostgreSQL Prometheus exporter container | `1001` |
| `metrics.podSecurityContext.runAsGroup` | Group ID for the PostgreSQL Prometheus exporter container | `0` |
| `metrics.podSecurityContext.runAsNonRoot` | Set PostgreSQL Prometheus exporter container's Security Context runAsNonRoot | `true` |
@@ -543,6 +556,7 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `volumePermissions.podSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `volumePermissions.podSecurityContext.runAsUser` | Init container volume-permissions User ID | `0` |
| `volumePermissions.podSecurityContext.runAsGroup` | Group ID for the init container volume-permissions container | `0` |
| `volumePermissions.podSecurityContext.runAsNonRoot` | Set Security Context runAsNonRoot for the init container volume-permissions container | `false` |
@@ -600,8 +614,12 @@ Additionally, if `persistence.resourcePolicy` is set to `keep`, you should manua
| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` |
| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` |
| `backup.cronjob.podSecurityContext.enabled` | Enable PodSecurityContext for CronJob/Backup | `true` |
| `backup.cronjob.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `backup.cronjob.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `backup.cronjob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `backup.cronjob.podSecurityContext.fsGroup` | Group ID for the CronJob | `1001` |
| `backup.cronjob.containerSecurityContext.enabled` | Enable container security context | `true` |
| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `backup.cronjob.containerSecurityContext.runAsUser` | User ID for the backup container | `1001` |
| `backup.cronjob.containerSecurityContext.runAsGroup` | Group ID for the backup container | `0` |
| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set backup container's Security Context runAsNonRoot | `true` |

36
bitnami/postgresql-ha/values.yaml
View File

@@ -221,14 +221,21 @@ postgresql:
## K8s Security Context
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
## @param postgresql.podSecurityContext.enabled Enable security context for PostgreSQL with Repmgr
## @param postgresql.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param postgresql.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param postgresql.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param postgresql.podSecurityContext.fsGroup Group ID for the PostgreSQL with Repmgr filesystem
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Container Security Context
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
## @param postgresql.containerSecurityContext.enabled Enabled containers' Security Context
## @param postgresql.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param postgresql.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param postgresql.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param postgresql.containerSecurityContext.privileged Set container's Security Context privileged
@@ -245,6 +252,7 @@ postgresql:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -717,14 +725,21 @@ witness:
## K8s Security Context
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
## @param witness.podSecurityContext.enabled Enable security context for PostgreSQL witness with Repmgr
## @param witness.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param witness.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param witness.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param witness.podSecurityContext.fsGroup Group ID for the PostgreSQL witness with Repmgr filesystem
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Container Security Context
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
## @param witness.containerSecurityContext.enabled Enabled containers' Security Context
## @param witness.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param witness.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param witness.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param witness.containerSecurityContext.privileged Set container's Security Context privileged
@@ -741,6 +756,7 @@ witness:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -1202,14 +1218,21 @@ pgpool:
## K8s Security Context
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
## @param pgpool.podSecurityContext.enabled Enable security context for Pgpool
## @param pgpool.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param pgpool.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param pgpool.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param pgpool.podSecurityContext.fsGroup Group ID for the Pgpool filesystem
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Container Security Context
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
## @param pgpool.containerSecurityContext.enabled Enabled containers' Security Context
## @param pgpool.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param pgpool.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param pgpool.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param pgpool.containerSecurityContext.privileged Set container's Security Context privileged
@@ -1226,6 +1249,7 @@ pgpool:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false
@@ -1579,6 +1603,7 @@ metrics:
## K8s Security Context
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
## @param metrics.podSecurityContext.enabled Enable security context for PostgreSQL Prometheus exporter
## @param metrics.podSecurityContext.seLinuxOptions Set SELinux options in container
## @param metrics.podSecurityContext.runAsUser User ID for the PostgreSQL Prometheus exporter container
## @param metrics.podSecurityContext.runAsGroup Group ID for the PostgreSQL Prometheus exporter container
## @param metrics.podSecurityContext.runAsNonRoot Set PostgreSQL Prometheus exporter container's Security Context runAsNonRoot
@@ -1586,6 +1611,7 @@ metrics:
##
podSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
@@ -1827,12 +1853,14 @@ volumePermissions:
pullSecrets: []
## K8s Security Context
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
## @param volumePermissions.podSecurityContext.seLinuxOptions Set SELinux options in container
## @param volumePermissions.podSecurityContext.runAsUser Init container volume-permissions User ID
## @param volumePermissions.podSecurityContext.runAsGroup Group ID for the init container volume-permissions container
## @param volumePermissions.podSecurityContext.runAsNonRoot Set Security Context runAsNonRoot for the init container volume-permissions container
## @param volumePermissions.podSecurityContext.seccompProfile.type Set Security Context seccompProfile for the init container volume-permissions container
##
podSecurityContext:
seLinuxOptions: {}
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
@@ -2016,13 +2044,20 @@ backup:
## @param backup.cronjob.restartPolicy Set the cronjob parameter restartPolicy
restartPolicy: OnFailure
## @param backup.cronjob.podSecurityContext.enabled Enable PodSecurityContext for CronJob/Backup
## @param backup.cronjob.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param backup.cronjob.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param backup.cronjob.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param backup.cronjob.podSecurityContext.fsGroup Group ID for the CronJob
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## backup container's Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param backup.cronjob.containerSecurityContext.enabled Enable container security context
## @param backup.cronjob.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param backup.cronjob.containerSecurityContext.runAsUser User ID for the backup container
## @param backup.cronjob.containerSecurityContext.runAsGroup Group ID for the backup container
## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set backup container's Security Context runAsNonRoot
@@ -2032,6 +2067,7 @@ backup:
## @param backup.cronjob.containerSecurityContext.capabilities.drop Set backup container's Security Context capabilities to drop
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true