Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-06 15:10:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/mongodb] Enable psp for mongodb (#5020)

Browse Source 
* [bitnami/mongodb] Add ability to use PodSecurityPolicy

In clusters that have PSP enabled, a PSP resource in required otherwise things
like using volumes won't work.

This commit enables a pretty straight forward PSP to be used and easily modified
if required.

The default is to not create a PSP resource

* [bitnami/mongodb] Use predefined PSP for ease of use

Give basic options and use a predefined PSP for simple and quick usage. But
retain the ability for the user to use full spec

* Update bitnami/mongodb/templates/psp.yaml

Co-authored-by: Alejandro Moreno <alemorcuq@gmail.com>

* Fail if psp create is true but not rbac

As suggested in comment https://github.com/bitnami/charts/pull/5020#discussion_r560125253

RBAC is needed for PSP to work, so, fail and show error if
podSecurityPolicy.create is true and rbac.create is false

Co-authored-by: Alejandro Moreno <alemorcuq@gmail.com>
This commit is contained in:
Yasser Saleemi
2021-01-20 15:07:48 +00:00
committed by GitHub
parent d65431bb18
commit d10986573a
6 changed files with 148 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/mongodb/Chart.yaml
View File

@@ -26,4 +26,4 @@ name: mongodb
sources:
- https://github.com/bitnami/bitnami-docker-mongodb
- https://mongodb.org
version: 10.4.1
version: 10.5.0

22
bitnami/mongodb/README.md
View File

@@ -245,25 +245,29 @@ The following tables lists the configurable parameters of the MongoDB chart and
### Persistence parameters
| Parameter | Description | Default |
|---------------------------------------------|------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| Parameter | Description | Default |
|-------------------------------------------|------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `persistence.enabled` | Enable MongoDB data persistence using PVC | `true` |
| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `nil` (evaluated as a template) |
| `persistence.storageClass` | PVC Storage Class for MongoDB data volume | `nil` |
| `persistence.accessMode` | PVC Access Mode for MongoDB data volume | `ReadWriteOnce` |
| `persistence.size` | PVC Storage Request for MongoDB data volume | `8Gi` |
| `persistence.mountPath` | Path to mount the volume at | `/bitnami/mongodb` |
| `persistence.mountPath` | Path to mount the volume at | `/bitnami/mongodb` |
| `persistence.subPath` | Subdirectory of the volume to mount at | `""` |
| `persistence.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `` |
### RBAC parameters
| Parameter | Description | Default |
|-------------------------------------------|------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `serviceAccount.create` | Enable creation of ServiceAccount for MongoDB pods | `true` |
| `serviceAccount.name` | Name of the created serviceAccount | Generated using the `mongodb.fullname` template |
| `serviceAccount.annotations` | Additional Service Account annotations | `{}` |
| `rbac.create` | Weather to create & use RBAC resources or not | `false` |
| Parameter | Description | Default |
|----------------------------------------------|------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
| `serviceAccount.create` | Enable creation of ServiceAccount for MongoDB pods | `true` |
| `serviceAccount.name` | Name of the created serviceAccount | Generated using the `mongodb.fullname` template |
| `serviceAccount.annotations` | Additional Service Account annotations | `{}` |
| `rbac.create` | Weather to create & use RBAC resources or not | `false` |
| `podSecurityPolicy.create | Whether to create & use PSP resource or not (Note: `rbac.create` needs to be `true`) | `false` |
| `podSecurityPolicy.allowPrivilegeEscalation` | Enable privilege escalation | `false` |
| `podSecurityPolicy.privileged` | Allow privileged | `false` |
| `podSecurityPolicy.spec | The PSP Spec (See https://kubernetes.io/docs/concepts/policy/pod-security-policy/), takes precedence | `{}` |
### Volume Permissions parameters

33
bitnami/mongodb/templates/_helpers.tpl
View File

@@ -199,6 +199,7 @@ Compile all warnings into a single message, and call fail.
*/}}
{{- define "mongodb.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "mongodb.validateValues.pspAndRBAC" .) -}}
{{- $messages := append $messages (include "mongodb.validateValues.architecture" .) -}}
{{- $messages := append $messages (include "mongodb.validateValues.customDatabase" .) -}}
{{- $messages := append $messages (include "mongodb.validateValues.externalAccessServiceType" .) -}}
@@ -213,6 +214,15 @@ Compile all warnings into a single message, and call fail.
{{- end -}}
{{- end -}}
{{/* Validate RBAC is created when using PSP */}}
{{- define "mongodb.validateValues.pspAndRBAC" -}}
{{- if and (.Values.podSecurityPolicy.create) (not .Values.rbac.create) -}}
mongodb: podSecurityPolicy.create, rbac.create
Both podSecurityPolicy.create and rbac.create must be true, if you want
to create podSecurityPolicy
{{- end -}}
{{- end -}}
{{/* Validate values of MongoDB - must provide a valid architecture */}}
{{- define "mongodb.validateValues.architecture" -}}
{{- if and (ne .Values.architecture "standalone") (ne .Values.architecture "replicaset") -}}
@@ -292,3 +302,26 @@ Validate values of MongoDB exporter URI string - auth.enabled and/or tls.enabled
{{- printf "mongodb://%slocalhost:27017/admin?%s" $uriAuth $uriTlsArgs -}}
{{- end -}}
{{/*
Return the appropriate apiGroup for PodSecurityPolicy.
*/}}
{{- define "podSecurityPolicy.apiGroup" -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "policy" -}}
{{- else -}}
{{- print "extensions" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for PodSecurityPolicy.
*/}}
{{- define "podSecurityPolicy.apiVersion" -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "policy/v1beta1" -}}
{{- else -}}
{{- print "extensions/v1beta1" -}}
{{- end -}}
{{- end -}}

48
bitnami/mongodb/templates/psp.yaml Normal file
View File

@@ -0,0 +1,48 @@
{{- if .Values.podSecurityPolicy.create }}
apiVersion: {{ template "podSecurityPolicy.apiVersion" . }}
kind: PodSecurityPolicy
metadata:
name: {{ include "mongodb.fullname" . }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.podSecurityPolicy.spec }}
{{ include "common.tplvalues.render" ( dict "value" .Values.podSecurityPolicy.spec "context" $ ) | nindent 2 }}
{{- else }}
allowPrivilegeEscalation: {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }}
fsGroup:
rule: 'MustRunAs'
ranges:
- min: {{ .Values.podSecurityContext.fsGroup }}
max: {{ .Values.podSecurityContext.fsGroup }}
hostIPC: false
hostNetwork: false
hostPID: false
privileged: {{ .Values.podSecurityPolicy.privileged }}
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
rule: 'MustRunAs'
ranges:
- min: {{ .Values.containerSecurityContext.runAsUser }}
max: {{ .Values.containerSecurityContext.runAsUser }}
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: {{ .Values.containerSecurityContext.runAsUser }}
max: {{ .Values.containerSecurityContext.runAsUser }}
volumes:
- 'configMap'
- 'secret'
- 'emptyDir'
- 'persistentVolumeClaim'
{{- end }}
{{- end }}

6
bitnami/mongodb/templates/role.yaml
View File

@@ -14,4 +14,10 @@ rules:
- get
- list
- watch
{{- if .Values.podSecurityPolicy.create }}
- apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: [{{ include "mongodb.fullname" . }}]
{{- end -}}
{{- end }}

47
bitnami/mongodb/values.yaml
View File

@@ -844,6 +844,53 @@ rbac:
##
create: false
## PodSecurityPolicy configuration
## Be sure to also set rbac.create to true, otherwise Role and RoleBinding
## won't be created.
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
##
podSecurityPolicy:
## Specifies whether a PodSecurityPolicy should be created
##
create: false
## You can either use predefined policy with some adjustments
allowPrivilegeEscalation: false
privileged: false
## Or you can specifiy the full spec to use for PSP
## Defining a spec ignores the above values.
spec: {}
## Example:
## allowPrivilegeEscalation: false
## fsGroup:
## rule: 'MustRunAs'
## ranges:
## - min: 1001
## max: 1001
## hostIPC: false
## hostNetwork: false
## hostPID: false
## privileged: false
## readOnlyRootFilesystem: false
## requiredDropCapabilities:
## - ALL
## runAsUser:
## rule: 'MustRunAs'
## ranges:
## - min: 1001
## max: 1001
## seLinux:
## rule: 'RunAsAny'
## supplementalGroups:
## rule: 'MustRunAs'
## ranges:
## - min: 1001
## max: 1001
## volumes:
## - 'configMap'
## - 'secret'
## - 'emptyDir'
## - 'persistentVolumeClaim'
## Init Container parameters
## Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each component
## values from the securityContext section of the component