Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-06 15:10:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/pinniped] feat!: 🔒 💥 Improve security defaults (#24349)

Browse Source 
* [bitnami/pinniped] feat!: 🔒 💥 Improve security defaults

Signed-off-by: Alejandro Moreno <amorenoc@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* fix pod labels

Signed-off-by: Alejandro Moreno <amorenoc@vmware.com>

---------

Signed-off-by: Alejandro Moreno <amorenoc@vmware.com>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
This commit is contained in:
Alejandro Moreno
2024-03-12 13:12:20 +01:00
committed by GitHub
parent 314d6aead4
commit b0633a84f4
6 changed files with 37 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
bitnami/pinniped/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.18.0
digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280
generated: "2024-03-05T15:20:39.546022757+01:00"
version: 2.19.0
digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc
generated: "2024-03-11T16:49:28.46106+01:00"

2
bitnami/pinniped/Chart.yaml
View File

@@ -27,4 +27,4 @@ maintainers:
name: pinniped
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/pinniped
version: 1.12.1
version: 2.0.0

37
bitnami/pinniped/README.md
View File

@@ -57,12 +57,12 @@ The command removes all the Kubernetes components associated with the chart and
### Global parameters
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
### Common parameters
@@ -117,7 +117,7 @@ The command removes all the Kubernetes components associated with the chart and
| `concierge.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `concierge.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `concierge.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `concierge.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if concierge.resources is set (concierge.resources is recommended for production). | `none` |
| `concierge.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if concierge.resources is set (concierge.resources is recommended for production). | `nano` |
| `concierge.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `concierge.podSecurityContext.enabled` | Enabled Concierge pods' Security Context | `true` |
| `concierge.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -127,10 +127,10 @@ The command removes all the Kubernetes components associated with the chart and
| `concierge.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `concierge.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `concierge.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `concierge.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `concierge.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `concierge.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `concierge.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `concierge.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
| `concierge.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
| `concierge.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `concierge.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `concierge.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
@@ -237,7 +237,7 @@ The command removes all the Kubernetes components associated with the chart and
| `supervisor.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `supervisor.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `supervisor.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `supervisor.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if supervisor.resources is set (supervisor.resources is recommended for production). | `none` |
| `supervisor.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if supervisor.resources is set (supervisor.resources is recommended for production). | `nano` |
| `supervisor.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `supervisor.podSecurityContext.enabled` | Enabled Supervisor pods' Security Context | `true` |
| `supervisor.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -247,10 +247,10 @@ The command removes all the Kubernetes components associated with the chart and
| `supervisor.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `supervisor.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `supervisor.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `supervisor.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `supervisor.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `supervisor.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `supervisor.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `supervisor.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
| `supervisor.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
| `supervisor.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `supervisor.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `supervisor.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
@@ -453,6 +453,17 @@ Find more information about how to deal with common errors related to Bitnami's
## Upgrading
### To 2.0.0
This major bump changes the following security defaults:
- `runAsGroup` is changed from `0` to `1001`
- `readOnlyRootFilesystem` is set to `true`
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
### To 1.0.0
This version brings a breaking change into the configuration, eliminating abused reuse of Pinniped service parameters.
@@ -477,4 +488,4 @@ Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
limitations under the License.

1
bitnami/pinniped/templates/concierge/deployment.yaml
View File

@@ -33,6 +33,7 @@ spec:
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
app: pinniped-concierge
app.kubernetes.io/component: concierge
app.kubernetes.io/part-of: pinniped
spec:
serviceAccountName: {{ template "pinniped.concierge.serviceAccountName" . }}
{{- include "pinniped.imagePullSecrets" . | nindent 6 }}

1
bitnami/pinniped/templates/supervisor/deployment.yaml
View File

@@ -32,6 +32,7 @@ spec:
{{- end }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
app.kubernetes.io/component: supervisor
app.kubernetes.io/part-of: pinniped
spec:
serviceAccountName: {{ template "pinniped.supervisor.serviceAccountName" . }}
{{- include "pinniped.imagePullSecrets" . | nindent 6 }}

14
bitnami/pinniped/values.yaml
View File

@@ -27,7 +27,7 @@ global:
openshift:
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
##
adaptSecurityContext: disabled
adaptSecurityContext: auto
## @section Common parameters
##
@@ -214,7 +214,7 @@ concierge:
## @param concierge.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if concierge.resources is set (concierge.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param concierge.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -257,10 +257,10 @@ concierge:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 0
runAsGroup: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
@@ -634,7 +634,7 @@ supervisor:
## @param supervisor.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if supervisor.resources is set (supervisor.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param supervisor.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -677,10 +677,10 @@ supervisor:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 0
runAsGroup: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]