Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-02-26 15:57:38 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/mlflow] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essential security fields (#22158)

Browse Source 
* [bitnami/mlflow] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essential security fields

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* chore: 🔧 Bump chart version

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-01-16 15:47:01 +01:00
committed by GitHub
parent 3840178435
commit b84eaeae7a
3 changed files with 31 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/mlflow/Chart.yaml
View File

@@ -43,4 +43,4 @@ name: mlflow
sources:
- https://github.com/bitnami/containers/tree/main/bitnami/mlflow
- https://github.com/mlflow/mlflow
version: 0.4.2
version: 0.5.0

10
bitnami/mlflow/README.md
View File

@@ -130,8 +130,12 @@ The command removes all the Kubernetes components associated with the chart and
| `tracking.resources.limits` | The resources limits for the mlflow containers | `{}` |
| `tracking.resources.requests` | The requested resources for the mlflow containers | `{}` |
| `tracking.podSecurityContext.enabled` | Enabled mlflow pods' Security Context | `true` |
| `tracking.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `tracking.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `tracking.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `tracking.podSecurityContext.fsGroup` | Set mlflow pod's Security Context fsGroup | `1001` |
| `tracking.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `tracking.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `tracking.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `tracking.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `tracking.containerSecurityContext.privileged` | Set containers' Security Context privileged | `false` |
@@ -318,8 +322,12 @@ The command removes all the Kubernetes components associated with the chart and
| `run.resources.limits` | The resources limits for the run containers | `{}` |
| `run.resources.requests` | The requested resources for the run containers | `{}` |
| `run.podSecurityContext.enabled` | Enabled Run pods' Security Context | `true` |
| `run.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `run.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `run.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `run.podSecurityContext.fsGroup` | Set Run pod's Security Context fsGroup | `1001` |
| `run.containerSecurityContext.enabled` | Enabled Run containers' Security Context | `true` |
| `run.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `run.containerSecurityContext.runAsUser` | Set Run containers' Security Context runAsUser | `1001` |
| `run.containerSecurityContext.runAsGroup` | Set Run containers' Security Context runAsGroup | `1001` |
| `run.containerSecurityContext.runAsNonRoot` | Set Run containers' Security Context runAsNonRoot | `true` |
@@ -392,6 +400,7 @@ The command removes all the Kubernetes components associated with the chart and
| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` |
| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` |
| `volumePermissions.containerSecurityContext.enabled` | Set container security context settings | `true` |
| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` |
| `waitContainer.image.registry` | Init container wait-container image registry | `REGISTRY_NAME` |
| `waitContainer.image.repository` | Init container wait-container image name | `REPOSITORY_NAME/os-shell` |
@@ -399,6 +408,7 @@ The command removes all the Kubernetes components associated with the chart and
| `waitContainer.image.pullPolicy` | Init container wait-container image pull policy | `IfNotPresent` |
| `waitContainer.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `waitContainer.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `waitContainer.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `waitContainer.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `waitContainer.containerSecurityContext.runAsNonRoot` | Set containers' Security Context runAsNonRoot | `true` |
| `waitContainer.containerSecurityContext.privileged` | Set containers' Security Context privileged | `false` |

20
bitnami/mlflow/values.yaml
View File

@@ -199,14 +199,21 @@ tracking:
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param tracking.podSecurityContext.enabled Enabled mlflow pods' Security Context
## @param tracking.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param tracking.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param tracking.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param tracking.podSecurityContext.fsGroup Set mlflow pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param tracking.containerSecurityContext.enabled Enabled containers' Security Context
## @param tracking.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param tracking.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param tracking.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param tracking.containerSecurityContext.privileged Set containers' Security Context privileged
@@ -218,6 +225,7 @@ tracking:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
@@ -903,14 +911,21 @@ run:
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param run.podSecurityContext.enabled Enabled Run pods' Security Context
## @param run.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param run.podSecurityContext.sysctls Set kernel settings using the sysctl interface
## @param run.podSecurityContext.supplementalGroups Set filesystem extra groups
## @param run.podSecurityContext.fsGroup Set Run pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls: []
supplementalGroups: []
fsGroup: 1001
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param run.containerSecurityContext.enabled Enabled Run containers' Security Context
## @param run.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param run.containerSecurityContext.runAsUser Set Run containers' Security Context runAsUser
## @param run.containerSecurityContext.runAsGroup Set Run containers' Security Context runAsGroup
## @param run.containerSecurityContext.runAsNonRoot Set Run containers' Security Context runAsNonRoot
@@ -922,6 +937,7 @@ run:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
@@ -1183,6 +1199,7 @@ volumePermissions:
## Init container Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param volumePermissions.containerSecurityContext.enabled Set container security context settings
## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser
## NOTE: when runAsUser is set to special value "auto", init container will try to chown the
## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2`
@@ -1190,6 +1207,7 @@ volumePermissions:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 0
waitContainer:
@@ -1219,6 +1237,7 @@ waitContainer:
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param waitContainer.containerSecurityContext.enabled Enabled containers' Security Context
## @param waitContainer.containerSecurityContext.seLinuxOptions Set SELinux options in container
## @param waitContainer.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param waitContainer.containerSecurityContext.runAsNonRoot Set containers' Security Context runAsNonRoot
## @param waitContainer.containerSecurityContext.privileged Set containers' Security Context privileged
@@ -1229,6 +1248,7 @@ waitContainer:
##
containerSecurityContext:
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsNonRoot: true
privileged: false