From c4492557d63ee7addb0447295fd5fcfc856ddc16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Tue, 16 Jan 2024 15:47:24 +0100 Subject: [PATCH] [bitnami/matomo] fix: :lock: Improve podSecurityContext and containerSecurityContext with essential security fields (#22151) * [bitnami/matomo] fix: :lock: Improve podSecurityContext and containerSecurityContext with essential security fields Signed-off-by: Javier Salmeron Garcia * chore: :wrench: Bump chart version Signed-off-by: Javier Salmeron Garcia --------- Signed-off-by: Javier Salmeron Garcia --- bitnami/matomo/Chart.yaml | 2 +- bitnami/matomo/README.md | 6 ++++++ bitnami/matomo/values.yaml | 12 ++++++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/bitnami/matomo/Chart.yaml b/bitnami/matomo/Chart.yaml index 08ab614f12..f9f7011b96 100644 --- a/bitnami/matomo/Chart.yaml +++ b/bitnami/matomo/Chart.yaml @@ -39,4 +39,4 @@ maintainers: name: matomo sources: - https://github.com/bitnami/charts/tree/main/bitnami/matomo -version: 4.0.1 +version: 4.1.0 diff --git a/bitnami/matomo/README.md b/bitnami/matomo/README.md index 484863439f..00b7230042 100644 --- a/bitnami/matomo/README.md +++ b/bitnami/matomo/README.md @@ -142,8 +142,12 @@ The command removes all the Kubernetes components associated with the chart and | `resources.limits` | The resources limits for Matomo containers | `{}` | | `resources.requests` | The requested resources for Matomo containers | `{}` | | `podSecurityContext.enabled` | Enable Matomo pods' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Matomo pods' group ID | `1001` | | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -312,6 +316,7 @@ The command removes all the Kubernetes components associated with the chart and | `cronjobs.taskScheduler.command` | Override default container command (useful when using custom images) | `[]` | | `cronjobs.taskScheduler.args` | Override default container args (useful when using custom images) | `[]` | | `cronjobs.taskScheduler.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `cronjobs.taskScheduler.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `cronjobs.taskScheduler.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `cronjobs.taskScheduler.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `cronjobs.taskScheduler.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -328,6 +333,7 @@ The command removes all the Kubernetes components associated with the chart and | `cronjobs.archive.command` | Override default container command (useful when using custom images) | `[]` | | `cronjobs.archive.args` | Override default container args (useful when using custom images) | `[]` | | `cronjobs.archive.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `cronjobs.archive.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `cronjobs.archive.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `cronjobs.archive.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `cronjobs.archive.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | diff --git a/bitnami/matomo/values.yaml b/bitnami/matomo/values.yaml index ea962c7c93..704a56c168 100644 --- a/bitnami/matomo/values.yaml +++ b/bitnami/matomo/values.yaml @@ -332,14 +332,21 @@ resources: ## Configure Pods Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enable Matomo pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups ## @param podSecurityContext.fsGroup Matomo pods' group ID ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Configure Container Security Context (only main container) ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged @@ -350,6 +357,7 @@ podSecurityContext: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -957,6 +965,7 @@ cronjobs: ## @param ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param cronjobs.taskScheduler.containerSecurityContext.enabled Enabled containers' Security Context + ## @param cronjobs.taskScheduler.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param cronjobs.taskScheduler.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param cronjobs.taskScheduler.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param cronjobs.taskScheduler.containerSecurityContext.privileged Set container's Security Context privileged @@ -967,6 +976,7 @@ cronjobs: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1006,6 +1016,7 @@ cronjobs: ## @param ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param cronjobs.archive.containerSecurityContext.enabled Enabled containers' Security Context + ## @param cronjobs.archive.containerSecurityContext.seLinuxOptions Set SELinux options in container ## @param cronjobs.archive.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param cronjobs.archive.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param cronjobs.archive.containerSecurityContext.privileged Set container's Security Context privileged @@ -1016,6 +1027,7 @@ cronjobs: ## containerSecurityContext: enabled: true + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false