mirror of
https://github.com/bitnami/charts.git
synced 2026-03-05 14:57:31 +08:00
[bitnami/mariadb] feat!: 🔒 💥 Improve security defaults (#24172)
* [bitnami/mariadb] feat!: 🔒 💥 Improve security defaults Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * docs: 📝 Add upgrading notes Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * chore: ⬆️ Bump common subchart Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
committed by
GitHub
GitHub
parent
3911a570a3
commit
b427d4a702
@@ -1,6 +1,6 @@
|
||||
dependencies:
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 2.18.0
|
||||
digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280
|
||||
generated: "2024-03-05T14:35:54.482130622+01:00"
|
||||
version: 2.19.0
|
||||
digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc
|
||||
generated: "2024-03-08T11:25:32.224991562+01:00"
|
||||
|
||||
@@ -34,4 +34,4 @@ maintainers:
|
||||
name: mariadb
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/mariadb
|
||||
version: 16.5.0
|
||||
version: 17.0.0
|
||||
|
||||
@@ -144,12 +144,12 @@ As an alternative, this chart supports using an initContainer to change the owne
|
||||
|
||||
### Global parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
|
||||
| `global.imageRegistry` | Global Docker Image registry | `""` |
|
||||
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
|
||||
| `global.storageClass` | Global storage class for dynamic provisioning | `""` |
|
||||
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
|
||||
| Name | Description | Value |
|
||||
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
|
||||
| `global.imageRegistry` | Global Docker Image registry | `""` |
|
||||
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
|
||||
| `global.storageClass` | Global storage class for dynamic provisioning | `""` |
|
||||
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
|
||||
|
||||
### Common parameters
|
||||
|
||||
@@ -229,16 +229,16 @@ As an alternative, this chart supports using an initContainer to change the owne
|
||||
| `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` |
|
||||
| `primary.containerSecurityContext.enabled` | MariaDB primary container securityContext | `true` |
|
||||
| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `primary.containerSecurityContext.runAsUser` | User ID for the MariaDB primary container | `1001` |
|
||||
| `primary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB primary container | `0` |
|
||||
| `primary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB primary container | `1001` |
|
||||
| `primary.containerSecurityContext.runAsNonRoot` | Set primary container's Security Context runAsNonRoot | `true` |
|
||||
| `primary.containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` |
|
||||
| `primary.containerSecurityContext.allowPrivilegeEscalation` | Set primary container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
|
||||
| `primary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `primary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `none` |
|
||||
| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `nano` |
|
||||
| `primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `primary.startupProbe.enabled` | Enable startupProbe | `false` |
|
||||
| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` |
|
||||
@@ -333,16 +333,16 @@ As an alternative, this chart supports using an initContainer to change the owne
|
||||
| `secondary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` |
|
||||
| `secondary.containerSecurityContext.enabled` | MariaDB secondary container securityContext | `true` |
|
||||
| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `secondary.containerSecurityContext.runAsUser` | User ID for the MariaDB secondary container | `1001` |
|
||||
| `secondary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB secondary container | `0` |
|
||||
| `secondary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB secondary container | `1001` |
|
||||
| `secondary.containerSecurityContext.runAsNonRoot` | Set secondary container's Security Context runAsNonRoot | `true` |
|
||||
| `secondary.containerSecurityContext.privileged` | Set secondary container's Security Context privileged | `false` |
|
||||
| `secondary.containerSecurityContext.allowPrivilegeEscalation` | Set secondary container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `secondary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `secondary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
|
||||
| `secondary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `secondary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| `secondary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). | `none` |
|
||||
| `secondary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). | `nano` |
|
||||
| `secondary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `secondary.startupProbe.enabled` | Enable startupProbe | `false` |
|
||||
| `secondary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` |
|
||||
@@ -419,7 +419,7 @@ As an alternative, this chart supports using an initContainer to change the owne
|
||||
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
|
||||
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` |
|
||||
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` |
|
||||
| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
|
||||
### Metrics parameters
|
||||
@@ -437,16 +437,16 @@ As an alternative, this chart supports using an initContainer to change the owne
|
||||
| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB metrics container(s) | `{}` |
|
||||
| `metrics.containerPorts.http` | Container port for http | `9104` |
|
||||
| `metrics.containerSecurityContext.enabled` | Enable security context for MariaDB metrics container | `false` |
|
||||
| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
|
||||
| `metrics.containerSecurityContext.runAsUser` | User ID for the MariaDB metrics container | `1001` |
|
||||
| `metrics.containerSecurityContext.runAsGroup` | Group ID for the MariaDB metrics container | `0` |
|
||||
| `metrics.containerSecurityContext.runAsGroup` | Group ID for the MariaDB metrics container | `1001` |
|
||||
| `metrics.containerSecurityContext.runAsNonRoot` | Set metrics container's Security Context runAsNonRoot | `true` |
|
||||
| `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` |
|
||||
| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set metrics container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
|
||||
| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` |
|
||||
| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` |
|
||||
| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` |
|
||||
| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` |
|
||||
@@ -528,6 +528,17 @@ helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mariadb --set auth.r
|
||||
|
||||
| Note: you need to substitute the placeholder _[ROOT_PASSWORD]_ with the value obtained in the installation notes.
|
||||
|
||||
### To 17.0.0
|
||||
|
||||
This major bump changes the following security defaults:
|
||||
|
||||
- `runAsGroup` is changed from `0` to `1001`
|
||||
- `readOnlyRootFilesystem` is set to `true`
|
||||
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
|
||||
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
|
||||
|
||||
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
|
||||
|
||||
### To 16.0.0
|
||||
|
||||
This section enables NetworkPolicies by default to increase security of the application. It also adapts the values in the `networkPolicy` section to the current Bitnami standards. The removed sections are `networkPolicy.metrics.*`, `networkPolicy.ingressRules.*` and `networkPolicy.egressRules.*`. Check the Parameters table for the new structure.
|
||||
|
||||
@@ -251,6 +251,8 @@ spec:
|
||||
{{- end }}
|
||||
{{- if .Values.primary.resources }}
|
||||
resources: {{ toYaml .Values.primary.resources | nindent 12 }}
|
||||
{{- else if ne .Values.primary.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: data
|
||||
|
||||
@@ -238,6 +238,8 @@ spec:
|
||||
{{- end }}
|
||||
{{- if .Values.secondary.resources }}
|
||||
resources: {{ toYaml .Values.secondary.resources | nindent 12 }}
|
||||
{{- else if ne .Values.secondary.resourcesPreset "none" }}
|
||||
resources: {{- include "common.resources.preset" (dict "type" .Values.secondary.resourcesPreset) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: data
|
||||
|
||||
@@ -27,7 +27,7 @@ global:
|
||||
openshift:
|
||||
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
|
||||
##
|
||||
adaptSecurityContext: disabled
|
||||
adaptSecurityContext: auto
|
||||
## @section Common parameters
|
||||
##
|
||||
|
||||
@@ -350,13 +350,13 @@ primary:
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
seLinuxOptions: {}
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsGroup: 1001
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
seccompProfile:
|
||||
@@ -370,7 +370,7 @@ primary:
|
||||
## @param primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "none"
|
||||
resourcesPreset: "nano"
|
||||
## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
@@ -769,13 +769,13 @@ secondary:
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
seLinuxOptions: {}
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsGroup: 1001
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
seccompProfile:
|
||||
@@ -789,7 +789,7 @@ secondary:
|
||||
## @param secondary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "none"
|
||||
resourcesPreset: "nano"
|
||||
## @param secondary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
@@ -1066,7 +1066,7 @@ volumePermissions:
|
||||
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "none"
|
||||
resourcesPreset: "nano"
|
||||
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
@@ -1185,10 +1185,10 @@ metrics:
|
||||
enabled: false
|
||||
privileged: false
|
||||
runAsNonRoot: true
|
||||
seLinuxOptions: null
|
||||
seLinuxOptions: {}
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
readOnlyRootFilesystem: false
|
||||
runAsGroup: 1001
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
@@ -1203,7 +1203,7 @@ metrics:
|
||||
## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production).
|
||||
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
|
||||
##
|
||||
resourcesPreset: "none"
|
||||
resourcesPreset: "nano"
|
||||
## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
|
||||
## Example:
|
||||
## resources:
|
||||
|
||||
Reference in New Issue
Block a user