Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-06 15:10:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/moodle] feat!: 🔒 💥 Improve security defaults (#24833)

Browse Source 
* [bitnami/moodle] Update MariaDB to branch 11.3

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* [bitnami/moodle] Fix typo

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* [bitnami/moodle] feat!: 🔒 💥 Improve security defaults

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* fix: 🐛 Use .containerPort in networkPolicy

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: David Gomez <dgomezleon@vmware.com>
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Co-authored-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
David Gomez
2024-04-03 13:01:08 +02:00
committed by GitHub
parent 619549692e
commit f8747c147b
9 changed files with 227 additions and 269 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
bitnami/moodle/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies:
- name: mariadb
repository: oci://registry-1.docker.io/bitnamicharts
version: 15.2.3
version: 18.0.1
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.19.1
digest: sha256:7313e035ba30f151c5a77ea01cc2306f7a0eb839a26a4c5b4d6cb99ee3d42472
generated: "2024-04-02T10:12:58.172446298Z"
digest: sha256:892e38c7f6fea287c4a6a4e49e513bb52531f2d7b09f3a274d7b6bf81a1a07fb
generated: "2024-04-03T11:36:27.595608844+02:00"

4
bitnami/moodle/Chart.yaml
View File

@@ -17,7 +17,7 @@ dependencies:
- condition: mariadb.enabled
name: mariadb
repository: oci://registry-1.docker.io/bitnamicharts
version: 15.x.x
version: 18.x.x
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
tags:
@@ -36,4 +36,4 @@ maintainers:
name: moodle
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/moodle
version: 20.5.1
version: 21.0.0

104
bitnami/moodle/README.md
View File

@@ -119,12 +119,12 @@ You may want to review the [PV reclaim policy](https://kubernetes.io/docs/tasks/
### Global parameters
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
| Name | Description | Value |
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
| `global.imageRegistry` | Global Docker image registry | `""` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
### Common parameters
@@ -178,6 +178,7 @@ You may want to review the [PV reclaim policy](https://kubernetes.io/docs/tasks/
| `smtpPassword` | SMTP password | `""` |
| `smtpProtocol` | SMTP Protocol (options: ssl,tls, nil) | `""` |
| `containerPorts` | Container ports | `{}` |
| `extraContainerPorts` | Optionally specify extra list of additional ports for WordPress container(s) | `[]` |
| `sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` |
| `persistence.enabled` | Enable persistence using PVC | `true` |
| `persistence.customStorageClass` | Create a custom storage class | `{}` |
@@ -194,7 +195,7 @@ You may want to review the [PV reclaim policy](https://kubernetes.io/docs/tasks/
| `nodeAffinityPreset.values` | Node label values to match | `[]` |
| `affinity` | Map of node/pod affinities | `{}` |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` |
| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` |
| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `podSecurityContext.enabled` | Enable Moodle&trade; pods' Security Context | `true` |
| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -202,8 +203,9 @@ You may want to review the [PV reclaim policy](https://kubernetes.io/docs/tasks/
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `podSecurityContext.fsGroup` | Moodle&trade; pods' group ID | `1001` |
| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
@@ -275,27 +277,29 @@ You may want to review the [PV reclaim policy](https://kubernetes.io/docs/tasks/
### Database parameters
| Name | Description | Value |
| ------------------------------------------- | ---------------------------------------------------------------------------------------- | ------------------- |
| `mariadb.enabled` | Whether to deploy a mariadb server to satisfy the applications database requirements | `true` |
| `mariadb.architecture` | MariaDB architecture (`standalone` or `replication`) | `standalone` |
| `mariadb.auth.rootPassword` | Password for the MariaDB `root` user | `""` |
| `mariadb.auth.database` | Database name to create | `bitnami_moodle` |
| `mariadb.auth.username` | Database user to create | `bn_moodle` |
| `mariadb.auth.password` | Password for the database | `""` |
| `mariadb.primary.persistence.enabled` | Enable database persistence using PVC | `true` |
| `mariadb.primary.persistence.storageClass` | MariaDB primary persistent volume storage Class | `""` |
| `mariadb.primary.persistence.accessModes` | PVC Access Modes for Moodle&trade; volume | `["ReadWriteOnce"]` |
| `mariadb.primary.persistence.size` | Database Persistent Volume Size | `8Gi` |
| `mariadb.primary.persistence.hostPath` | Set path in case you want to use local host path volumes (not recommended in production) | `""` |
| `mariadb.primary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas | `""` |
| `externalDatabase.type` | Type of the existing database | `""` |
| `externalDatabase.host` | Host of the existing database | `""` |
| `externalDatabase.port` | Port of the existing database | `3306` |
| `externalDatabase.user` | Existing username in the external db | `bn_moodle` |
| `externalDatabase.password` | Password for the above username | `""` |
| `externalDatabase.database` | Name of the existing database | `bitnami_moodle` |
| `externalDatabase.existingSecret` | Name of an existing secret resource containing the DB password | `""` |
| Name | Description | Value |
| ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- |
| `mariadb.enabled` | Whether to deploy a mariadb server to satisfy the applications database requirements | `true` |
| `mariadb.architecture` | MariaDB architecture (`standalone` or `replication`) | `standalone` |
| `mariadb.auth.rootPassword` | Password for the MariaDB `root` user | `""` |
| `mariadb.auth.database` | Database name to create | `bitnami_moodle` |
| `mariadb.auth.username` | Database user to create | `bn_moodle` |
| `mariadb.auth.password` | Password for the database | `""` |
| `mariadb.primary.persistence.enabled` | Enable database persistence using PVC | `true` |
| `mariadb.primary.persistence.storageClass` | MariaDB primary persistent volume storage Class | `""` |
| `mariadb.primary.persistence.accessModes` | PVC Access Modes for Moodle&trade; volume | `["ReadWriteOnce"]` |
| `mariadb.primary.persistence.size` | Database Persistent Volume Size | `8Gi` |
| `mariadb.primary.persistence.hostPath` | Set path in case you want to use local host path volumes (not recommended in production) | `""` |
| `mariadb.primary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas | `""` |
| `mariadb.primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `micro` |
| `mariadb.primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `externalDatabase.type` | Type of the existing database | `""` |
| `externalDatabase.host` | Host of the existing database | `""` |
| `externalDatabase.port` | Port of the existing database | `3306` |
| `externalDatabase.user` | Existing username in the external db | `bn_moodle` |
| `externalDatabase.password` | Password for the above username | `""` |
| `externalDatabase.database` | Name of the existing database | `bitnami_moodle` |
| `externalDatabase.existingSecret` | Name of an existing secret resource containing the DB password | `""` |
### Volume Permissions parameters
@@ -307,7 +311,7 @@ You may want to review the [PV reclaim policy](https://kubernetes.io/docs/tasks/
| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` |
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` |
| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
### Metrics parameters
@@ -329,7 +333,7 @@ You may want to review the [PV reclaim policy](https://kubernetes.io/docs/tasks/
| `metrics.service.annotations` | Annotations for Prometheus Exporter pods. Evaluated as a template. | `{}` |
| `metrics.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
| `metrics.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` |
| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` |
| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `metrics.podAnnotations` | Metrics exporter pod Annotation and Labels | `{}` |
@@ -357,23 +361,15 @@ You may want to review the [PV reclaim policy](https://kubernetes.io/docs/tasks/
### NetworkPolicy parameters
| Name | Description | Value |
| ------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | ------- |
| `networkPolicy.enabled` | Enable network policies | `false` |
| `networkPolicy.metrics.enabled` | Enable network policy for metrics (prometheus) | `false` |
| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` |
| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` |
| `networkPolicy.ingress.enabled` | Enable network policy for Ingress Proxies | `false` |
| `networkPolicy.ingress.namespaceSelector` | Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace. | `{}` |
| `networkPolicy.ingress.podSelector` | Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods. | `{}` |
| `networkPolicy.ingressRules.backendOnlyAccessibleByFrontend` | Enable ingress rule that makes the backend (mariadb) only accessible by Moodle's pods. | `false` |
| `networkPolicy.ingressRules.customBackendSelector` | Backend selector labels. These labels will be used to identify the backend pods. | `{}` |
| `networkPolicy.ingressRules.accessOnlyFrom.enabled` | Enable ingress rule that makes Moodle only accessible from a particular origin | `false` |
| `networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access Moodle. This label will be used to identified the allowed namespace(s). | `{}` |
| `networkPolicy.ingressRules.accessOnlyFrom.podSelector` | Pods selector label that is allowed to access Moodle. This label will be used to identified the allowed pod(s). | `{}` |
| `networkPolicy.ingressRules.customRules` | Custom network policy ingress rule | `{}` |
| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` |
| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` |
| Name | Description | Value |
| --------------------------------------- | --------------------------------------------------------------- | ------ |
| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
| `networkPolicy.allowExternal` | Don't require server label for connections | `true` |
| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
@@ -404,6 +400,18 @@ Find more information about how to deal with common errors related to Bitnami's
## Upgrading
### To 21.0.0
This major bump changes the following security defaults:
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
- The `networkPolicy` section has been normalized amongst all Bitnami charts. Compared to the previous approach, the values section has been simplified (check the Parameters section) and now it set to `enabled=true` by default. Egress traffic is allowed by default and ingress traffic is allowed by all pods but only to the ports set in `containerPorts` and `extraContainerPorts`.
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
Also, this major release bumps the MariaDB chart version to [18.x.x](https://github.com/bitnami/charts/pull/24804); no major issues are expected during the upgrade.
### To 20.0.0
This major release bumps the MariaDB version to 11.2. No major issues are expected during the upgrade.

3
bitnami/moodle/templates/deployment.yaml
View File

@@ -238,6 +238,9 @@ spec:
containerPort: {{ .Values.containerPorts.http }}
- name: https
containerPort: {{ .Values.containerPorts.https }}
{{- if .Values.extraContainerPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraContainerPorts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
{{- else if .Values.startupProbe.enabled }}

30
bitnami/moodle/templates/networkpolicy-backend-ingress.yaml
View File

@@ -1,30 +0,0 @@
{{- /*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.networkPolicy.enabled .Values.networkPolicy.ingressRules.backendOnlyAccessibleByFrontend }}
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
kind: NetworkPolicy
metadata:
name: {{ printf "%s-backend" (include "common.names.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
podSelector:
matchLabels:
{{- if .Values.networkPolicy.ingressRules.customBackendSelector }}
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customBackendSelector "context" $) | nindent 6 }}
{{- else }}
app.kubernetes.io/name: mariadb
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
ingress:
- from:
- podSelector:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
{{- end }}

35
bitnami/moodle/templates/networkpolicy-egress.yaml
View File

@@ -1,35 +0,0 @@
{{- /*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }}
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
kind: NetworkPolicy
metadata:
name: {{ printf "%s-egress" (include "common.names.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/instance: {{ .Release.Name }}
policyTypes:
- Egress
egress:
{{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }}
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
- to:
- namespaceSelector: {}
{{- end }}
{{- if .Values.networkPolicy.egressRules.customRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }}
{{- end }}
{{- end }}

63
bitnami/moodle/templates/networkpolicy-ingress.yaml
View File

@@ -1,63 +0,0 @@
{{- /*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.ingress.enabled .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.accessOnlyFrom.enabled) }}
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
kind: NetworkPolicy
metadata:
name: {{ printf "%s-ingress" (include "common.names.fullname" .) }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
ingress:
{{- if and .Values.ingress.enabled .Values.networkPolicy.ingress.enabled (or .Values.networkPolicy.ingress.namespaceSelector .Values.networkPolicy.ingress.podSelector) }}
- from:
{{- if .Values.networkPolicy.ingress.namespaceSelector }}
- namespaceSelector:
matchLabels:
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingress.namespaceSelector "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.networkPolicy.ingress.podSelector }}
- podSelector:
matchLabels:
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingress.podSelector "context" $) | nindent 14 }}
{{- end }}
{{- end }}
{{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }}
- from:
{{- if .Values.networkPolicy.metrics.namespaceSelector }}
- namespaceSelector:
matchLabels:
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.networkPolicy.metrics.podSelector }}
- podSelector:
matchLabels:
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }}
{{- end }}
{{- end }}
{{- if and .Values.networkPolicy.ingressRules.accessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector) }}
- from:
{{- if .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector }}
- namespaceSelector:
matchLabels:
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector }}
- podSelector:
matchLabels:
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector "context" $) | nindent 14 }}
{{- end }}
{{- end }}
{{- if .Values.networkPolicy.ingressRules.customRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customRules "context" $) | nindent 4 }}
{{- end }}
{{- end }}

80
bitnami/moodle/templates/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,80 @@
{{- /*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
policyTypes:
- Ingress
- Egress
{{- if .Values.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
# Allow dns resolution
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
# Allow outbound connections to MariaDB
- ports:
- port: {{ include "moodle.databasePort" . }}
{{- if .Values.mariadb.enabled }}
to:
- podSelector:
matchLabels:
app.kubernetes.io/name: mariadb
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- if .Values.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
- port: {{ .Values.containerPorts.http }}
- port: {{ .Values.containerPorts.https }}
{{- range .Values.extraContainerPorts }}
- port: {{ .containerPort }}
{{- end }}
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
- podSelector:
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
{{- if .Values.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

171
bitnami/moodle/values.yaml
View File

@@ -26,7 +26,7 @@ global:
openshift:
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
##
adaptSecurityContext: disabled
adaptSecurityContext: auto
## @section Common parameters
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
@@ -193,6 +193,13 @@ smtpProtocol: ""
containerPorts:
http: 8080
https: 8443
## @param extraContainerPorts Optionally specify extra list of additional ports for WordPress container(s)
## e.g:
## extraContainerPorts:
## - name: myservice
## containerPort: 9090
##
extraContainerPorts: []
## @param sessionAffinity Control where client requests go, to the same pod or round-robin
## Values: ClientIP or None
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
@@ -296,7 +303,7 @@ nodeSelector: {}
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "micro"
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -327,6 +334,7 @@ podSecurityContext:
## @param containerSecurityContext.enabled Enabled containers' Security Context
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param containerSecurityContext.privileged Set container's Security Context privileged
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -336,8 +344,9 @@ podSecurityContext:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
@@ -657,6 +666,27 @@ mariadb:
## @param mariadb.primary.persistence.existingClaim Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas
##
existingClaim: ""
## MariaDB primary container's resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
## @param mariadb.primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "micro"
## @param mariadb.primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## External database configuration
##
externalDatabase:
@@ -718,7 +748,7 @@ volumePermissions:
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -804,7 +834,7 @@ metrics:
## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -890,93 +920,58 @@ certificates:
pullSecrets: []
## @section NetworkPolicy parameters
## Add networkpolicies
## Network Policy configuration
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
## @param networkPolicy.enabled Enable network policies
## If ingress.enabled or metrics.enabled are true, configure networkPolicy.ingress and networkPolicy.metrics selectors respectively to allow communication
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
##
enabled: false
## @param networkPolicy.metrics.enabled Enable network policy for metrics (prometheus)
## @param networkPolicy.metrics.namespaceSelector Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace.
## @param networkPolicy.metrics.podSelector Monitoring pod selector labels. These labels will be used to identify the Prometheus pods.
enabled: true
## @param networkPolicy.allowExternal Don't require server label for connections
## The Policy model to apply. When set to false, only pods with the correct
## server label will have network access to the ports server is listening
## on. When true, server will accept connections from any source
## (with the correct destination port).
##
metrics:
enabled: false
## e.g:
## podSelector:
## label: monitoring
##
podSelector: {}
## e.g:
## namespaceSelector:
## label: monitoring
##
namespaceSelector: {}
## @param networkPolicy.ingress.enabled Enable network policy for Ingress Proxies
## @param networkPolicy.ingress.namespaceSelector Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace.
## @param networkPolicy.ingress.podSelector Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods.
allowExternal: true
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
##
ingress:
enabled: false
## e.g:
## podSelector:
## label: ingress
##
podSelector: {}
## e.g:
## namespaceSelector:
## label: ingress
##
namespaceSelector: {}
## @param networkPolicy.ingressRules.backendOnlyAccessibleByFrontend Enable ingress rule that makes the backend (mariadb) only accessible by Moodle's pods.
## @param networkPolicy.ingressRules.customBackendSelector Backend selector labels. These labels will be used to identify the backend pods.
## @param networkPolicy.ingressRules.accessOnlyFrom.enabled Enable ingress rule that makes Moodle only accessible from a particular origin
## @param networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector Namespace selector label that is allowed to access Moodle. This label will be used to identified the allowed namespace(s).
## @param networkPolicy.ingressRules.accessOnlyFrom.podSelector Pods selector label that is allowed to access Moodle. This label will be used to identified the allowed pod(s).
## @param networkPolicy.ingressRules.customRules Custom network policy ingress rule
allowExternalEgress: true
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
## e.g:
## extraIngress:
## - ports:
## - port: 1234
## from:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
extraIngress: []
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
## e.g:
## extraEgress:
## - ports:
## - port: 1234
## to:
## - podSelector:
## - matchLabels:
## - role: frontend
## - podSelector:
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
##
ingressRules:
## mariadb backend only can be accessed from Moodle
##
backendOnlyAccessibleByFrontend: false
customBackendSelector: {}
## Allow only from the indicated:
##
accessOnlyFrom:
enabled: false
## e.g:
## namespaceSelector:
## label: ingress
##
namespaceSelector: {}
## e.g:
## podSelector:
## label: access
##
podSelector: {}
## custom ingress rules
## e.g:
## customRules:
## - from:
## - namespaceSelector:
## matchLabels:
## label: example
##
customRules: {}
## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53).
## @param networkPolicy.egressRules.customRules Custom network policy rule
extraEgress: []
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
##
egressRules:
## Deny connections to external. This is not compatible with an external database.
##
denyConnectionsToExternal: false
## Additional custom egress rules
## e.g:
## customRules:
## - to:
## - namespaceSelector:
## matchLabels:
## label: example
##
customRules: {}
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}