diff options
| author |   Fiete Ostkamp <Fiete.Ostkamp@telekom.de> | 2024-04-30 13:08:03 +0200 |
|---|---|---|
| committer | Fiete Ostkamp <Fiete.Ostkamp@telekom.de> | 2024-05-06 10:12:26 +0200 |
| commit | d2b2a3d446a92910fcf3be4c6a3b4254451f730c (patch) | |
| tree | 097843313c5cd6b2f3d807377a615682bca90329 /kubernetes/common/mongodb/templates | |
| parent | c64f1c0954e631709083499f6d1c80258c7809ee (diff) | |
[COMMON] Fix Kyverno policy violations in common/mongodb
- set resourceLimit's for emptyDir volumes
- use non-root group in mongo pods
- make pod filesystem read-only
- bump mongodb chart version from 14.12.2 to 14.12.3
- use new version in portal-ng, nbi, multicloud and dcae-tcagen2
Issue-ID: OOM-3293
Change-Id: Ife7445433337ac97a03f8cd22ad551e8745b9717
Signed-off-by: Fiete Ostkamp <Fiete.Ostkamp@telekom.de>
Diffstat (limited to 'kubernetes/common/mongodb/templates')
5 files changed, 32 insertions, 13 deletions
diff --git a/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml b/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml index 269863f3ec..041b0cb51d 100644 --- a/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml +++ b/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml @@ -254,6 +254,9 @@ spec: - name: empty-dir mountPath: /opt/bitnami/mongodb/logs subPath: app-logs-dir + - name: empty-dir + mountPath: /bitnami/mongodb + subPath: app-volume-dir {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }} - name: config mountPath: /opt/bitnami/mongodb/conf/mongodb.conf diff --git a/kubernetes/common/mongodb/templates/backup/cronjob.yaml b/kubernetes/common/mongodb/templates/backup/cronjob.yaml index 79466e919e..2e884b14b9 100644 --- a/kubernetes/common/mongodb/templates/backup/cronjob.yaml +++ b/kubernetes/common/mongodb/templates/backup/cronjob.yaml @@ -166,14 +166,16 @@ spec: restartPolicy: {{ .Values.backup.cronjob.restartPolicy }} volumes: - name: empty-dir - emptyDir: {} + emptyDir: + sizeLimit: 64Mi - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} defaultMode: 0550 {{- if .Values.tls.enabled }} - name: certs - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- if (include "mongodb.autoGenerateCerts" .) }} - name: certs-volume secret: diff --git a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml index 5b2a807d84..08a55ebd06 100644 --- a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml +++ b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml @@ -514,7 +514,8 @@ spec: {{- end }} volumes: - name: empty-dir - emptyDir: {} + emptyDir: + sizeLimit: 64Mi - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} @@ -531,7 +532,8 @@ spec: {{- end }} {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} - name: shared - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- end }} - name: scripts configMap: @@ -542,7 +544,8 @@ spec: {{- end }} {{- if .Values.tls.enabled }} - name: certs - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- if (include "mongodb.autoGenerateCerts" .) }} - name: certs-volume secret: @@ -568,8 +571,10 @@ spec: {{- if .Values.hidden.persistence.medium }} emptyDir: medium: {{ .Values.hidden.persistence.medium | quote }} + sizeLimit: 64Mi {{- else }} - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- end }} {{- else }} volumeClaimTemplates: diff --git a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml index 55158e8fb0..b171eca005 100644 --- a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml +++ b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml @@ -512,7 +512,8 @@ spec: {{- end }} volumes: - name: empty-dir - emptyDir: {} + emptyDir: + sizeLimit: 64Mi - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} @@ -529,7 +530,8 @@ spec: {{- end }} {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} - name: shared - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- end }} - name: scripts configMap: @@ -540,7 +542,8 @@ spec: {{- end }} {{- if .Values.tls.enabled }} - name: certs - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- if (include "mongodb.autoGenerateCerts" .) }} - name: certs-volume secret: @@ -566,8 +569,10 @@ spec: {{- if .Values.persistence.medium }} emptyDir: medium: {{ .Values.persistence.medium | quote }} + sizeLimit: 64Mi {{- else }} - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- end }} {{- else }} {{- if .Values.persistentVolumeClaimRetentionPolicy.enabled }} diff --git a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml index 29dd406bca..6f63f0be5b 100644 --- a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml +++ b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml @@ -437,7 +437,8 @@ spec: {{- end }} volumes: - name: empty-dir - emptyDir: {} + emptyDir: + sizeLimit: 64Mi - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} @@ -457,7 +458,8 @@ spec: {{- end }} {{- if .Values.tls.enabled }} - name: certs - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- if (include "mongodb.autoGenerateCerts" .) }} - name: certs-volume secret: @@ -481,8 +483,10 @@ spec: {{- if .Values.persistence.medium }} emptyDir: medium: {{ .Values.persistence.medium | quote }} + sizeLimit: 64Mi {{- else }} - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- end }} {{- else if .Values.persistence.existingClaim }} - name: {{ .Values.persistence.name | default "datadir" }} |