From ebc150352f968dc66686db709590e3444b8fb74b Mon Sep 17 00:00:00 2001 From: Davide Madrisan Date: Wed, 1 Dec 2021 17:05:05 +0100 Subject: [PATCH] bitnami/mariadb Add security context setup to the metrics containers (#8247) * Add security context setup to the mariadb metrics containers Signed-off-by: Davide Madrisan * Fix typo * Bump the mariadb chart version Signed-off-by: Davide Madrisan * Bump minor chart version and update the README --- bitnami/mariadb/Chart.yaml | 2 +- bitnami/mariadb/README.md | 1 + bitnami/mariadb/templates/primary/statefulset.yaml | 3 +++ bitnami/mariadb/templates/secondary/statefulset.yaml | 3 +++ bitnami/mariadb/values.yaml | 12 ++++++++++++ 5 files changed, 20 insertions(+), 1 deletion(-) diff --git a/bitnami/mariadb/Chart.yaml b/bitnami/mariadb/Chart.yaml index c239720fed..c42a1c0548 100644 --- a/bitnami/mariadb/Chart.yaml +++ b/bitnami/mariadb/Chart.yaml @@ -26,4 +26,4 @@ sources: - https://github.com/bitnami/bitnami-docker-mariadb - https://github.com/prometheus/mysqld_exporter - https://mariadb.org -version: 10.0.4 +version: 10.1.0 diff --git a/bitnami/mariadb/README.md b/bitnami/mariadb/README.md index c59073c023..0a2c6cdb54 100644 --- a/bitnami/mariadb/README.md +++ b/bitnami/mariadb/README.md @@ -303,6 +303,7 @@ The command removes all the Kubernetes components associated with the chart and | Name | Description | Value | | -------------------------------------------- | --------------------------------------------------------------------------------- | ------------------------- | +| `metrics.containerSecurityContext.enabled` | Metrics container securityContext | `false` | | `metrics.enabled` | Start a side-car prometheus exporter | `false` | | `metrics.image.registry` | Exporter image registry | `docker.io` | | `metrics.image.repository` | Exporter image repository | `bitnami/mysqld-exporter` | diff --git a/bitnami/mariadb/templates/primary/statefulset.yaml b/bitnami/mariadb/templates/primary/statefulset.yaml index 7a77cd9bb9..3ee7005b58 100644 --- a/bitnami/mariadb/templates/primary/statefulset.yaml +++ b/bitnami/mariadb/templates/primary/statefulset.yaml @@ -270,6 +270,9 @@ spec: - name: metrics image: {{ include "mariadb.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: {{- if .Values.auth.usePasswordFiles }} - name: MARIADB_ROOT_PASSWORD_FILE diff --git a/bitnami/mariadb/templates/secondary/statefulset.yaml b/bitnami/mariadb/templates/secondary/statefulset.yaml index 6b88e7c098..017bb4480b 100644 --- a/bitnami/mariadb/templates/secondary/statefulset.yaml +++ b/bitnami/mariadb/templates/secondary/statefulset.yaml @@ -253,6 +253,9 @@ spec: - name: metrics image: {{ include "mariadb.metrics.image" . }} imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} env: {{- if .Values.auth.usePasswordFiles }} - name: MARIADB_ROOT_PASSWORD_FILE diff --git a/bitnami/mariadb/values.yaml b/bitnami/mariadb/values.yaml index 424d5dfc71..9734ef861e 100644 --- a/bitnami/mariadb/values.yaml +++ b/bitnami/mariadb/values.yaml @@ -1023,6 +1023,18 @@ metrics: extraArgs: primary: [] secondary: [] + ## MariaDB metrics container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param metrics.containerSecurityContext.enabled Enable security context for MariaDB metrics container + ## Example: + ## containerSecurityContext: + ## enabled: true + ## capabilities: + ## drop: ["NET_RAW"] + ## readOnlyRootFilesystem: true + ## + containerSecurityContext: + enabled: false ## Mysqld Prometheus exporter resource requests and limits ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ ## We usually recommend not to specify default resources and to leave this as a conscious