diff --git a/bitnami/mongodb/Chart.yaml b/bitnami/mongodb/Chart.yaml index 9c6754dfe4..635d5c725f 100644 --- a/bitnami/mongodb/Chart.yaml +++ b/bitnami/mongodb/Chart.yaml @@ -26,4 +26,4 @@ name: mongodb sources: - https://github.com/bitnami/bitnami-docker-mongodb - https://mongodb.org -version: 10.4.1 +version: 10.5.0 diff --git a/bitnami/mongodb/README.md b/bitnami/mongodb/README.md index 5acfe894f4..0d2d90d651 100644 --- a/bitnami/mongodb/README.md +++ b/bitnami/mongodb/README.md @@ -245,25 +245,29 @@ The following tables lists the configurable parameters of the MongoDB chart and ### Persistence parameters -| Parameter | Description | Default | -|---------------------------------------------|------------------------------------------------------------------------------------------------------------|---------------------------------------------------------| +| Parameter | Description | Default | +|-------------------------------------------|------------------------------------------------------------------------------------------------------------|---------------------------------------------------------| | `persistence.enabled` | Enable MongoDB data persistence using PVC | `true` | | `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `nil` (evaluated as a template) | | `persistence.storageClass` | PVC Storage Class for MongoDB data volume | `nil` | | `persistence.accessMode` | PVC Access Mode for MongoDB data volume | `ReadWriteOnce` | | `persistence.size` | PVC Storage Request for MongoDB data volume | `8Gi` | -| `persistence.mountPath` | Path to mount the volume at | `/bitnami/mongodb` | +| `persistence.mountPath` | Path to mount the volume at | `/bitnami/mongodb` | | `persistence.subPath` | Subdirectory of the volume to mount at | `""` | | `persistence.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `` | ### RBAC parameters -| Parameter | Description | Default | -|-------------------------------------------|------------------------------------------------------------------------------------------------------------|---------------------------------------------------------| -| `serviceAccount.create` | Enable creation of ServiceAccount for MongoDB pods | `true` | -| `serviceAccount.name` | Name of the created serviceAccount | Generated using the `mongodb.fullname` template | -| `serviceAccount.annotations` | Additional Service Account annotations | `{}` | -| `rbac.create` | Weather to create & use RBAC resources or not | `false` | +| Parameter | Description | Default | +|----------------------------------------------|------------------------------------------------------------------------------------------------------------|---------------------------------------------------------| +| `serviceAccount.create` | Enable creation of ServiceAccount for MongoDB pods | `true` | +| `serviceAccount.name` | Name of the created serviceAccount | Generated using the `mongodb.fullname` template | +| `serviceAccount.annotations` | Additional Service Account annotations | `{}` | +| `rbac.create` | Weather to create & use RBAC resources or not | `false` | +| `podSecurityPolicy.create | Whether to create & use PSP resource or not (Note: `rbac.create` needs to be `true`) | `false` | +| `podSecurityPolicy.allowPrivilegeEscalation` | Enable privilege escalation | `false` | +| `podSecurityPolicy.privileged` | Allow privileged | `false` | +| `podSecurityPolicy.spec | The PSP Spec (See https://kubernetes.io/docs/concepts/policy/pod-security-policy/), takes precedence | `{}` | ### Volume Permissions parameters diff --git a/bitnami/mongodb/templates/_helpers.tpl b/bitnami/mongodb/templates/_helpers.tpl index 4c83cbde40..bdf701f41c 100644 --- a/bitnami/mongodb/templates/_helpers.tpl +++ b/bitnami/mongodb/templates/_helpers.tpl @@ -199,6 +199,7 @@ Compile all warnings into a single message, and call fail. */}} {{- define "mongodb.validateValues" -}} {{- $messages := list -}} +{{- $messages := append $messages (include "mongodb.validateValues.pspAndRBAC" .) -}} {{- $messages := append $messages (include "mongodb.validateValues.architecture" .) -}} {{- $messages := append $messages (include "mongodb.validateValues.customDatabase" .) -}} {{- $messages := append $messages (include "mongodb.validateValues.externalAccessServiceType" .) -}} @@ -213,6 +214,15 @@ Compile all warnings into a single message, and call fail. {{- end -}} {{- end -}} +{{/* Validate RBAC is created when using PSP */}} +{{- define "mongodb.validateValues.pspAndRBAC" -}} +{{- if and (.Values.podSecurityPolicy.create) (not .Values.rbac.create) -}} +mongodb: podSecurityPolicy.create, rbac.create + Both podSecurityPolicy.create and rbac.create must be true, if you want + to create podSecurityPolicy +{{- end -}} +{{- end -}} + {{/* Validate values of MongoDB - must provide a valid architecture */}} {{- define "mongodb.validateValues.architecture" -}} {{- if and (ne .Values.architecture "standalone") (ne .Values.architecture "replicaset") -}} @@ -292,3 +302,26 @@ Validate values of MongoDB exporter URI string - auth.enabled and/or tls.enabled {{- printf "mongodb://%slocalhost:27017/admin?%s" $uriAuth $uriTlsArgs -}} {{- end -}} + + +{{/* +Return the appropriate apiGroup for PodSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiGroup" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy" -}} +{{- else -}} +{{- print "extensions" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for PodSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiVersion" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "extensions/v1beta1" -}} +{{- end -}} +{{- end -}} diff --git a/bitnami/mongodb/templates/psp.yaml b/bitnami/mongodb/templates/psp.yaml new file mode 100644 index 0000000000..b17e8ea153 --- /dev/null +++ b/bitnami/mongodb/templates/psp.yaml @@ -0,0 +1,48 @@ +{{- if .Values.podSecurityPolicy.create }} +apiVersion: {{ template "podSecurityPolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ include "mongodb.fullname" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: +{{- if .Values.podSecurityPolicy.spec }} +{{ include "common.tplvalues.render" ( dict "value" .Values.podSecurityPolicy.spec "context" $ ) | nindent 2 }} +{{- else }} + allowPrivilegeEscalation: {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }} + fsGroup: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.podSecurityContext.fsGroup }} + max: {{ .Values.podSecurityContext.fsGroup }} + hostIPC: false + hostNetwork: false + hostPID: false + privileged: {{ .Values.podSecurityPolicy.privileged }} + readOnlyRootFilesystem: false + requiredDropCapabilities: + - ALL + runAsUser: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.containerSecurityContext.runAsUser }} + max: {{ .Values.containerSecurityContext.runAsUser }} + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.containerSecurityContext.runAsUser }} + max: {{ .Values.containerSecurityContext.runAsUser }} + volumes: + - 'configMap' + - 'secret' + - 'emptyDir' + - 'persistentVolumeClaim' +{{- end }} +{{- end }} diff --git a/bitnami/mongodb/templates/role.yaml b/bitnami/mongodb/templates/role.yaml index f8eda3d048..da3b8564bc 100644 --- a/bitnami/mongodb/templates/role.yaml +++ b/bitnami/mongodb/templates/role.yaml @@ -14,4 +14,10 @@ rules: - get - list - watch +{{- if .Values.podSecurityPolicy.create }} + - apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ include "mongodb.fullname" . }}] +{{- end -}} {{- end }} diff --git a/bitnami/mongodb/values.yaml b/bitnami/mongodb/values.yaml index 2f5436611a..86a56882e0 100644 --- a/bitnami/mongodb/values.yaml +++ b/bitnami/mongodb/values.yaml @@ -844,6 +844,53 @@ rbac: ## create: false +## PodSecurityPolicy configuration +## Be sure to also set rbac.create to true, otherwise Role and RoleBinding +## won't be created. +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +podSecurityPolicy: + ## Specifies whether a PodSecurityPolicy should be created + ## + create: false + ## You can either use predefined policy with some adjustments + allowPrivilegeEscalation: false + privileged: false + ## Or you can specifiy the full spec to use for PSP + ## Defining a spec ignores the above values. + spec: {} + ## Example: + ## allowPrivilegeEscalation: false + ## fsGroup: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## hostIPC: false + ## hostNetwork: false + ## hostPID: false + ## privileged: false + ## readOnlyRootFilesystem: false + ## requiredDropCapabilities: + ## - ALL + ## runAsUser: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## seLinux: + ## rule: 'RunAsAny' + ## supplementalGroups: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## volumes: + ## - 'configMap' + ## - 'secret' + ## - 'emptyDir' + ## - 'persistentVolumeClaim' + ## Init Container parameters ## Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each component ## values from the securityContext section of the component