Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-02-23 06:17:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/cert-manager] feat!: 🔒 💥 Improve security defaults (#24271)

Browse Source 
* [bitnami/cert-manager] feat!: 🔒 💥 Improve security defaults

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* chore: ⬆️ Bump common subchart

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* chore:  Revert changes in values.yaml

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* test:  Add /tmp as emptydir

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Signed-off-by: Alejandro Moreno <amorenoc@vmware.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
Co-authored-by: Alejandro Moreno <amorenoc@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-03-18 10:23:54 +01:00
committed by GitHub
parent fec835fc25
commit f57daed50b
4 changed files with 50 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.vib/cert-manager/runtime-parameters.yaml
View File

@@ -9,6 +9,13 @@ controller:
serviceAccount:
create: true
automountServiceAccountToken: true
extraVolumes:
- name: empty-dir
emptyDir: {}
extraVolumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
webhook:
httpsPort: 443
rbac:

2
bitnami/cert-manager/Chart.yaml
View File

@@ -35,4 +35,4 @@ maintainers:
name: cert-manager
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/cert-manager
version: 0.24.1
version: 1.0.0

47
bitnami/cert-manager/README.md
View File

@@ -264,12 +264,12 @@ As an alternative, you can make use of the preset configurations for pod affinit
### Global parameters
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
### Common parameters
@@ -304,7 +304,7 @@ As an alternative, you can make use of the preset configurations for pod affinit
| `controller.acmesolver.image.pullPolicy` | Controller image pull policy | `IfNotPresent` |
| `controller.acmesolver.image.pullSecrets` | Controller image pull secrets | `[]` |
| `controller.acmesolver.image.debug` | Controller image debug mode | `false` |
| `controller.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production). | `none` |
| `controller.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production). | `nano` |
| `controller.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `controller.podSecurityContext.enabled` | Enabled Controller pods' Security Context | `true` |
| `controller.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -312,11 +312,11 @@ As an alternative, you can make use of the preset configurations for pod affinit
| `controller.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `controller.podSecurityContext.fsGroup` | Set Controller pod's Security Context fsGroup | `1001` |
| `controller.containerSecurityContext.enabled` | Enabled controller containers' Security Context | `true` |
| `controller.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `controller.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `controller.containerSecurityContext.runAsUser` | Set controller containers' Security Context runAsUser | `1001` |
| `controller.containerSecurityContext.runAsGroup` | Set controller containers' Security Context runAsGroup | `0` |
| `controller.containerSecurityContext.runAsGroup` | Set controller containers' Security Context runAsGroup | `1001` |
| `controller.containerSecurityContext.runAsNonRoot` | Set controller containers' Security Context runAsNonRoot | `true` |
| `controller.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `false` |
| `controller.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `true` |
| `controller.containerSecurityContext.privileged` | Set controller container's Security Context privileged | `false` |
| `controller.containerSecurityContext.allowPrivilegeEscalation` | Set controller container's Security Context allowPrivilegeEscalation | `false` |
| `controller.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
@@ -398,7 +398,7 @@ As an alternative, you can make use of the preset configurations for pod affinit
| `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` |
| `webhook.image.pullSecrets` | Webhook image pull secrets | `[]` |
| `webhook.image.debug` | Webhook image debug mode | `false` |
| `webhook.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production). | `none` |
| `webhook.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production). | `nano` |
| `webhook.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `webhook.podSecurityContext.enabled` | Enabled Webhook pods' Security Context | `true` |
| `webhook.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -406,11 +406,11 @@ As an alternative, you can make use of the preset configurations for pod affinit
| `webhook.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `webhook.podSecurityContext.fsGroup` | Set Webhook pod's Security Context fsGroup | `1001` |
| `webhook.containerSecurityContext.enabled` | Enabled webhook containers' Security Context | `true` |
| `webhook.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `webhook.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `webhook.containerSecurityContext.runAsUser` | Set webhook containers' Security Context runAsUser | `1001` |
| `webhook.containerSecurityContext.runAsGroup` | Set webhook containers' Security Context runAsGroup | `0` |
| `webhook.containerSecurityContext.runAsGroup` | Set webhook containers' Security Context runAsGroup | `1001` |
| `webhook.containerSecurityContext.runAsNonRoot` | Set webhook containers' Security Context runAsNonRoot | `true` |
| `webhook.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `false` |
| `webhook.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `true` |
| `webhook.containerSecurityContext.privileged` | Set webhook container's Security Context privileged | `false` |
| `webhook.containerSecurityContext.allowPrivilegeEscalation` | Set webhook container's Security Context allowPrivilegeEscalation | `false` |
| `webhook.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
@@ -488,7 +488,7 @@ As an alternative, you can make use of the preset configurations for pod affinit
| `cainjector.image.pullPolicy` | CAInjector image pull policy | `IfNotPresent` |
| `cainjector.image.pullSecrets` | CAInjector image pull secrets | `[]` |
| `cainjector.image.debug` | CAInjector image debug mode | `false` |
| `cainjector.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if cloneHtdocsFromGit.resources is set (cloneHtdocsFromGit.resources is recommended for production). | `none` |
| `cainjector.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if cloneHtdocsFromGit.resources is set (cloneHtdocsFromGit.resources is recommended for production). | `nano` |
| `cainjector.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `cainjector.podSecurityContext.enabled` | Enabled CAInjector pods' Security Context | `true` |
| `cainjector.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -496,11 +496,11 @@ As an alternative, you can make use of the preset configurations for pod affinit
| `cainjector.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `cainjector.podSecurityContext.fsGroup` | Set CAInjector pod's Security Context fsGroup | `1001` |
| `cainjector.containerSecurityContext.enabled` | Enabled cainjector containers' Security Context | `true` |
| `cainjector.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `cainjector.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `cainjector.containerSecurityContext.runAsUser` | Set cainjector containers' Security Context runAsUser | `1001` |
| `cainjector.containerSecurityContext.runAsGroup` | Set cainjector containers' Security Context runAsGroup | `0` |
| `cainjector.containerSecurityContext.runAsGroup` | Set cainjector containers' Security Context runAsGroup | `1001` |
| `cainjector.containerSecurityContext.runAsNonRoot` | Set cainjector containers' Security Context runAsNonRoot | `true` |
| `cainjector.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `false` |
| `cainjector.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `true` |
| `cainjector.containerSecurityContext.privileged` | Set cainjector container's Security Context privileged | `false` |
| `cainjector.containerSecurityContext.allowPrivilegeEscalation` | Set cainjector container's Security Context allowPrivilegeEscalation | `false` |
| `cainjector.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
@@ -614,6 +614,17 @@ Find more information about how to deal with common errors related to Bitnami's
## Upgrading
### To 1.0.0
This major bump changes the following security defaults:
- `runAsGroup` is changed from `0` to `1001`
- `readOnlyRootFilesystem` is set to `true`
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
### To 0.5.0
Exisiting CRDs have been syncronised with the official [cert-manager repository](https://github.com/cert-manager/cert-manager/tree/master/deploy/crds). Using the templates present in the 1.8.0 tag.

26
bitnami/cert-manager/values.yaml
View File

@@ -21,7 +21,7 @@ global:
openshift:
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
##
adaptSecurityContext: disabled
adaptSecurityContext: auto
## @section Common parameters
## @param kubeVersion Override Kubernetes version
@@ -133,7 +133,7 @@ controller:
## @param controller.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param controller.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -174,9 +174,9 @@ controller:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 0
runAsGroup: 1001
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
@@ -184,7 +184,7 @@ controller:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
## @param controller.podAffinityPreset Pod affinity preset. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
@@ -504,7 +504,7 @@ webhook:
## @param webhook.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param webhook.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -545,9 +545,9 @@ webhook:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 0
runAsGroup: 1001
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
@@ -555,7 +555,7 @@ webhook:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
## @param webhook.podAffinityPreset Pod affinity preset. Ignored if `webhook.affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
@@ -860,7 +860,7 @@ cainjector:
## @param cainjector.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if cloneHtdocsFromGit.resources is set (cloneHtdocsFromGit.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param cainjector.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -901,9 +901,9 @@ cainjector:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 0
runAsGroup: 1001
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
@@ -911,7 +911,7 @@ cainjector:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
## @param cainjector.podAffinityPreset Pod affinity preset. Ignored if `cainjector.affinity` is set. Allowed values: `soft` or `hard`
##