Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-11 15:37:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/tomcat] feat: Add support for PSA restricted policy (#20554)

Browse Source 
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2023-10-31 19:06:15 +01:00
committed by GitHub
parent b3e4488d17
commit cd9ec2ff01
4 changed files with 139 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
bitnami/tomcat/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.13.2
digest: sha256:551ae9c020597fd0a1d62967d9899a3c57a12e92f49e7a3967b6a187efdcaead
generated: "2023-10-09T21:56:34.987847613Z"
version: 2.13.3
digest: sha256:9a971689db0c66ea95ac2e911c05014c2b96c6077c991131ff84f2982f88fb83
generated: "2023-10-31T12:41:05.52315381+01:00"

2
bitnami/tomcat/Chart.yaml
View File

@@ -35,4 +35,4 @@ maintainers:
name: tomcat
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/tomcat
version: 10.10.10
version: 10.11.0

200
bitnami/tomcat/README.md
View File

@@ -102,71 +102,76 @@ The command removes all the Kubernetes components associated with the chart and
### Tomcat deployment parameters
| Name | Description | Value |
| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------ | ------------------- |
| `replicaCount` | Specify number of Tomcat replicas | `1` |
| `deployment.type` | Use Deployment or StatefulSet | `deployment` |
| `updateStrategy.type` | StrategyType | `RollingUpdate` |
| `containerPorts.http` | HTTP port to expose at container level | `8080` |
| `containerExtraPorts` | Extra ports to expose at container level | `[]` |
| `podSecurityContext.enabled` | Enable Tomcat pods' Security Context | `true` |
| `podSecurityContext.fsGroup` | Set Tomcat pod's Security Context fsGroup | `1001` |
| `containerSecurityContext.enabled` | Enable Tomcat containers' SecurityContext | `true` |
| `containerSecurityContext.runAsUser` | User ID for the Tomcat container | `1001` |
| `containerSecurityContext.runAsNonRoot` | Force user to be root in Tomcat container | `true` |
| `resources.limits` | The resources limits for the Tomcat container | `{}` |
| `resources.requests` | The requested resources for the Tomcat container | `{}` |
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `startupProbe.enabled` | Enable startupProbe | `false` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `5` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `3` |
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` |
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `customLivenessProbe` | Override default liveness probe | `{}` |
| `customReadinessProbe` | Override default readiness probe | `{}` |
| `customStartupProbe` | Override default startup probe | `{}` |
| `podLabels` | Extra labels for Tomcat pods | `{}` |
| `podAnnotations` | Annotations for Tomcat pods | `{}` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set. | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` |
| `affinity` | Affinity for pod assignment. Evaluated as a template. | `{}` |
| `nodeSelector` | Node labels for pod assignment. Evaluated as a template. | `{}` |
| `schedulerName` | Alternative scheduler | `""` |
| `lifecycleHooks` | Override default etcd container hooks | `{}` |
| `podManagementPolicy` | podManagementPolicy to manage scaling operation of pods (only in StatefulSet mode) | `""` |
| `tolerations` | Tolerations for pod assignment. Evaluated as a template. | `[]` |
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
| `extraPodSpec` | Optionally specify extra PodSpec | `{}` |
| `extraVolumes` | Optionally specify extra list of additional volumes for Tomcat pods in Deployment | `[]` |
| `extraVolumeClaimTemplates` | Optionally specify extra list of additional volume claim templates for Tomcat pods in StatefulSet | `[]` |
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for Tomcat container(s) | `[]` |
| `initContainers` | Add init containers to the Tomcat pods. | `[]` |
| `sidecars` | Add sidecars to the Tomcat pods. | `[]` |
| `persistence.enabled` | Enable persistence | `true` |
| `persistence.storageClass` | PVC Storage Class for Tomcat volume | `""` |
| `persistence.annotations` | Persistent Volume Claim annotations | `{}` |
| `persistence.accessModes` | PVC Access Modes for Tomcat volume | `["ReadWriteOnce"]` |
| `persistence.size` | PVC Storage Request for Tomcat volume | `8Gi` |
| `persistence.existingClaim` | An Existing PVC name for Tomcat volume | `""` |
| `persistence.selectorLabels` | Selector labels to use in volume claim template in statefulset | `{}` |
| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. | `false` |
| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed | `{}` |
| Name | Description | Value |
| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ------------------- |
| `replicaCount` | Specify number of Tomcat replicas | `1` |
| `deployment.type` | Use Deployment or StatefulSet | `deployment` |
| `updateStrategy.type` | StrategyType | `RollingUpdate` |
| `containerPorts.http` | HTTP port to expose at container level | `8080` |
| `containerExtraPorts` | Extra ports to expose at container level | `[]` |
| `podSecurityContext.enabled` | Enable Tomcat pods' Security Context | `true` |
| `podSecurityContext.fsGroup` | Set Tomcat pod's Security Context fsGroup | `1001` |
| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `resources.limits` | The resources limits for the Tomcat container | `{}` |
| `resources.requests` | The requested resources for the Tomcat container | `{}` |
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe | `true` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `startupProbe.enabled` | Enable startupProbe | `false` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `5` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `3` |
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` |
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `customLivenessProbe` | Override default liveness probe | `{}` |
| `customReadinessProbe` | Override default readiness probe | `{}` |
| `customStartupProbe` | Override default startup probe | `{}` |
| `podLabels` | Extra labels for Tomcat pods | `{}` |
| `podAnnotations` | Annotations for Tomcat pods | `{}` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set. | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` |
| `affinity` | Affinity for pod assignment. Evaluated as a template. | `{}` |
| `nodeSelector` | Node labels for pod assignment. Evaluated as a template. | `{}` |
| `schedulerName` | Alternative scheduler | `""` |
| `lifecycleHooks` | Override default etcd container hooks | `{}` |
| `podManagementPolicy` | podManagementPolicy to manage scaling operation of pods (only in StatefulSet mode) | `""` |
| `tolerations` | Tolerations for pod assignment. Evaluated as a template. | `[]` |
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
| `extraPodSpec` | Optionally specify extra PodSpec | `{}` |
| `extraVolumes` | Optionally specify extra list of additional volumes for Tomcat pods in Deployment | `[]` |
| `extraVolumeClaimTemplates` | Optionally specify extra list of additional volume claim templates for Tomcat pods in StatefulSet | `[]` |
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for Tomcat container(s) | `[]` |
| `initContainers` | Add init containers to the Tomcat pods. | `[]` |
| `sidecars` | Add sidecars to the Tomcat pods. | `[]` |
| `persistence.enabled` | Enable persistence | `true` |
| `persistence.storageClass` | PVC Storage Class for Tomcat volume | `""` |
| `persistence.annotations` | Persistent Volume Claim annotations | `{}` |
| `persistence.accessModes` | PVC Access Modes for Tomcat volume | `["ReadWriteOnce"]` |
| `persistence.size` | PVC Storage Request for Tomcat volume | `8Gi` |
| `persistence.existingClaim` | An Existing PVC name for Tomcat volume | `""` |
| `persistence.selectorLabels` | Selector labels to use in volume claim template in statefulset | `{}` |
| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. | `false` |
| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed | `{}` |
### Traffic Exposure parameters
@@ -214,36 +219,41 @@ The command removes all the Kubernetes components associated with the chart and
### Metrics parameters
| Name | Description | Value |
| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `metrics.jmx.enabled` | Whether or not to expose JMX metrics to Prometheus | `false` |
| `metrics.jmx.catalinaOpts` | custom option used to enabled JMX on tomcat jvm evaluated as template | `-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=5555 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=true` |
| `metrics.jmx.image.registry` | JMX exporter image registry | `REGISTRY_NAME` |
| `metrics.jmx.image.repository` | JMX exporter image repository | `REPOSITORY_NAME/jmx-exporter` |
| `metrics.jmx.image.digest` | JMX exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `metrics.jmx.image.pullPolicy` | JMX exporter image pull policy | `IfNotPresent` |
| `metrics.jmx.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `metrics.jmx.config` | Configuration file for JMX exporter | `""` |
| `metrics.jmx.containerSecurityContext.enabled` | Enable Prometheus JMX exporter containers' Security Context | `true` |
| `metrics.jmx.containerSecurityContext.runAsUser` | Set Prometheus JMX exporter containers' Security Context runAsUser | `1001` |
| `metrics.jmx.containerSecurityContext.runAsNonRoot` | Set Prometheus JMX exporter containers' Security Context runAsNonRoot | `true` |
| `metrics.jmx.resources.limits` | JMX Exporter container resource limits | `{}` |
| `metrics.jmx.resources.requests` | JMX Exporter container resource requests | `{}` |
| `metrics.jmx.ports.metrics` | JMX Exporter container metrics ports | `5556` |
| `metrics.jmx.existingConfigmap` | Name of existing ConfigMap with JMX exporter configuration | `""` |
| `metrics.podMonitor.podTargetLabels` | Used to keep given pod's labels in target | `[]` |
| `metrics.podMonitor.enabled` | Create PodMonitor Resource for scraping metrics using PrometheusOperator | `false` |
| `metrics.podMonitor.namespace` | Optional namespace in which Prometheus is running | `""` |
| `metrics.podMonitor.interval` | Specify the interval at which metrics should be scraped | `30s` |
| `metrics.podMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `30s` |
| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitors will be discovered by Prometheus | `{}` |
| `metrics.podMonitor.scheme` | Scheme to use for scraping | `http` |
| `metrics.podMonitor.tlsConfig` | TLS configuration used for scrape endpoints used by Prometheus | `{}` |
| `metrics.podMonitor.relabelings` | Prometheus relabeling rules | `[]` |
| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` |
| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` |
| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | `""` |
| `metrics.prometheusRule.rules` | Create specified [Rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) | `[]` |
| Name | Description | Value |
| --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `metrics.jmx.enabled` | Whether or not to expose JMX metrics to Prometheus | `false` |
| `metrics.jmx.catalinaOpts` | custom option used to enabled JMX on tomcat jvm evaluated as template | `-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=5555 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=true` |
| `metrics.jmx.image.registry` | JMX exporter image registry | `REGISTRY_NAME` |
| `metrics.jmx.image.repository` | JMX exporter image repository | `REPOSITORY_NAME/jmx-exporter` |
| `metrics.jmx.image.digest` | JMX exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `metrics.jmx.image.pullPolicy` | JMX exporter image pull policy | `IfNotPresent` |
| `metrics.jmx.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `metrics.jmx.config` | Configuration file for JMX exporter | `""` |
| `metrics.jmx.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `metrics.jmx.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `metrics.jmx.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `metrics.jmx.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `metrics.jmx.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
| `metrics.jmx.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `metrics.jmx.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `metrics.jmx.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `metrics.jmx.resources.limits` | JMX Exporter container resource limits | `{}` |
| `metrics.jmx.resources.requests` | JMX Exporter container resource requests | `{}` |
| `metrics.jmx.ports.metrics` | JMX Exporter container metrics ports | `5556` |
| `metrics.jmx.existingConfigmap` | Name of existing ConfigMap with JMX exporter configuration | `""` |
| `metrics.podMonitor.podTargetLabels` | Used to keep given pod's labels in target | `[]` |
| `metrics.podMonitor.enabled` | Create PodMonitor Resource for scraping metrics using PrometheusOperator | `false` |
| `metrics.podMonitor.namespace` | Optional namespace in which Prometheus is running | `""` |
| `metrics.podMonitor.interval` | Specify the interval at which metrics should be scraped | `30s` |
| `metrics.podMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `30s` |
| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitors will be discovered by Prometheus | `{}` |
| `metrics.podMonitor.scheme` | Scheme to use for scraping | `http` |
| `metrics.podMonitor.tlsConfig` | TLS configuration used for scrape endpoints used by Prometheus | `{}` |
| `metrics.podMonitor.relabelings` | Prometheus relabeling rules | `[]` |
| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` |
| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` |
| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | `""` |
| `metrics.prometheusRule.rules` | Create specified [Rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) | `[]` |
The above parameters map to the env variables defined in [bitnami/tomcat](https://github.com/bitnami/containers/tree/main/bitnami/tomcat). For more information please refer to the [bitnami/tomcat](https://github.com/bitnami/containers/tree/main/bitnami/tomcat) image documentation.

36
bitnami/tomcat/values.yaml
View File

@@ -159,14 +159,26 @@ podSecurityContext:
fsGroup: 1001
## Tomcat containers' SecurityContext
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param containerSecurityContext.enabled Enable Tomcat containers' SecurityContext
## @param containerSecurityContext.runAsUser User ID for the Tomcat container
## @param containerSecurityContext.runAsNonRoot Force user to be root in Tomcat container
## @param containerSecurityContext.enabled Enabled containers' Security Context
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param containerSecurityContext.privileged Set container's Security Context privileged
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
##
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
## Tomcat containers' resource requests and limits
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
## We usually recommend not to specify default resources and to leave this as a conscious
@@ -671,13 +683,25 @@ metrics:
attrNameSnakeCase: true
## Prometheus JMX exporter containers' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param metrics.jmx.containerSecurityContext.enabled Enable Prometheus JMX exporter containers' Security Context
## @param metrics.jmx.containerSecurityContext.runAsUser Set Prometheus JMX exporter containers' Security Context runAsUser
## @param metrics.jmx.containerSecurityContext.runAsNonRoot Set Prometheus JMX exporter containers' Security Context runAsNonRoot
## @param metrics.jmx.containerSecurityContext.enabled Enabled containers' Security Context
## @param metrics.jmx.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param metrics.jmx.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param metrics.jmx.containerSecurityContext.privileged Set container's Security Context privileged
## @param metrics.jmx.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
## @param metrics.jmx.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
## @param metrics.jmx.containerSecurityContext.capabilities.drop List of capabilities to be dropped
## @param metrics.jmx.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
containerSecurityContext:
enabled: true
runAsUser: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
## Prometheus JMX Exporter' resource requests and limits
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
## We usually recommend not to specify default resources and to leave this as a conscious