diff options
Diffstat (limited to 'kubernetes')
24 files changed, 97 insertions, 38 deletions
diff --git a/kubernetes/common/common/Chart.yaml b/kubernetes/common/common/Chart.yaml index 10894bd006..986b96fa13 100644 --- a/kubernetes/common/common/Chart.yaml +++ b/kubernetes/common/common/Chart.yaml @@ -17,4 +17,4 @@ apiVersion: v2 description: Common templates for inclusion in other charts name: common -version: 13.2.3 +version: 13.2.4 diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl index 505d80560d..638db8cab1 100644 --- a/kubernetes/common/common/templates/_serviceMesh.tpl +++ b/kubernetes/common/common/templates/_serviceMesh.tpl @@ -78,7 +78,16 @@ exit "$RCODE" fieldRef: apiVersion: v1 fieldPath: metadata.namespace - {{ include "common.containerSecurityContext" . | indent 2 | trim }} + securityContext: + capabilities: + drop: + - ALL + - CAP_NET_RAW + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsUser: 100 + runAsGroup: 65533 resources: limits: cpu: 100m diff --git a/kubernetes/common/elasticsearch/Chart.yaml b/kubernetes/common/elasticsearch/Chart.yaml index 6949da7962..48de2c0502 100644 --- a/kubernetes/common/elasticsearch/Chart.yaml +++ b/kubernetes/common/elasticsearch/Chart.yaml @@ -23,10 +23,10 @@ version: 13.0.0 dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' + repository: '@local' - name: master version: ~13.x-0 repository: 'file://components/master' diff --git a/kubernetes/common/elasticsearch/components/curator/Chart.yaml b/kubernetes/common/elasticsearch/components/curator/Chart.yaml index 390228b6ae..baceb1dadc 100644 --- a/kubernetes/common/elasticsearch/components/curator/Chart.yaml +++ b/kubernetes/common/elasticsearch/components/curator/Chart.yaml @@ -23,7 +23,7 @@ version: 13.0.0 dependencies: - name: common version: ~13.x-0 - repository: 'file://../../../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../../../repositoryGenerator' + repository: '@local' diff --git a/kubernetes/common/elasticsearch/components/data/Chart.yaml b/kubernetes/common/elasticsearch/components/data/Chart.yaml index d49a21085b..30c925aba7 100644 --- a/kubernetes/common/elasticsearch/components/data/Chart.yaml +++ b/kubernetes/common/elasticsearch/components/data/Chart.yaml @@ -23,7 +23,7 @@ version: 13.0.0 dependencies: - name: common version: ~13.x-0 - repository: 'file://../../../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../../../repositoryGenerator' + repository: '@local' diff --git a/kubernetes/common/elasticsearch/components/master/Chart.yaml b/kubernetes/common/elasticsearch/components/master/Chart.yaml index 73d59075e3..e481c7cd4b 100644 --- a/kubernetes/common/elasticsearch/components/master/Chart.yaml +++ b/kubernetes/common/elasticsearch/components/master/Chart.yaml @@ -22,7 +22,7 @@ version: 13.0.0 dependencies: - name: common version: ~13.x-0 - repository: 'file://../../../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../../../repositoryGenerator' + repository: '@local' diff --git a/kubernetes/common/etcd/Chart.yaml b/kubernetes/common/etcd/Chart.yaml index 02fc2c0603..465364b3da 100644 --- a/kubernetes/common/etcd/Chart.yaml +++ b/kubernetes/common/etcd/Chart.yaml @@ -28,7 +28,7 @@ sources: dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' + repository: '@local' diff --git a/kubernetes/common/logConfiguration/Chart.yaml b/kubernetes/common/logConfiguration/Chart.yaml index a5790a4d62..7908bfa405 100644 --- a/kubernetes/common/logConfiguration/Chart.yaml +++ b/kubernetes/common/logConfiguration/Chart.yaml @@ -22,4 +22,4 @@ version: 13.0.0 dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' diff --git a/kubernetes/common/mariadb-galera/Chart.yaml b/kubernetes/common/mariadb-galera/Chart.yaml index c5bb0aaf94..d97aa0ecea 100644 --- a/kubernetes/common/mariadb-galera/Chart.yaml +++ b/kubernetes/common/mariadb-galera/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: Chart for MariaDB Galera cluster name: mariadb-galera -version: 13.2.0 +version: 13.2.1 keywords: - mariadb - mysql @@ -30,14 +30,14 @@ keywords: dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' - name: readinessCheck version: ~13.x-0 - repository: 'file://../readinessCheck' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' + repository: '@local' - name: serviceAccount version: ~13.x-0 - repository: 'file://../serviceAccount' + repository: '@local' condition: global.mariadbGalera.enableServiceAccount
\ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index f9b4de4b88..2b8951979d 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -55,7 +55,19 @@ spec: image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + add: + - CHOWN + - SYS_CHROOT + runAsGroup: {{ .Values.securityContext.group_id }} + readOnlyRootFilesystem: false runAsUser: 0 + seccompProfile: + type: RuntimeDefault volumeMounts: - name: previous-boot mountPath: /bootstrap @@ -169,6 +181,7 @@ spec: successThreshold: {{ .Values.startupProbe.successThreshold }} failureThreshold: {{ .Values.startupProbe.failureThreshold }} {{- end }} + {{ include "common.securityContext" . | indent 10 | trim }} resources: {{ include "common.resources" . | nindent 12 }} volumeMounts: - name: previous-boot @@ -218,7 +231,7 @@ spec: timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} - {{ include "common.containerSecurityContext" . | indent 10 | trim }} + securityContext: {{- toYaml .Values.metrics.securityContext | nindent 12 }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} {{- end }} {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index 47264f971c..d8303dd5fd 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -659,6 +659,19 @@ metrics: ## - --collect.binlog_size ## extraFlags: [] + securityContext: + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + runAsGroup: 10001 + runAsNonRoot: true + runAsUser: 10001 + seccompProfile: + type: RuntimeDefault ## MySQL Prometheus exporter containers' resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## diff --git a/kubernetes/common/mariadb-init/Chart.yaml b/kubernetes/common/mariadb-init/Chart.yaml index 0ac3750bb1..d1844916e0 100644 --- a/kubernetes/common/mariadb-init/Chart.yaml +++ b/kubernetes/common/mariadb-init/Chart.yaml @@ -23,10 +23,10 @@ version: 13.0.2 dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' + repository: '@local' - name: serviceAccount version: ~13.x-0 repository: '@local' diff --git a/kubernetes/common/mongodb/templates/backup/cronjob.yaml b/kubernetes/common/mongodb/templates/backup/cronjob.yaml index 44c297accd..b1d0b589a9 100644 --- a/kubernetes/common/mongodb/templates/backup/cronjob.yaml +++ b/kubernetes/common/mongodb/templates/backup/cronjob.yaml @@ -167,7 +167,7 @@ spec: volumes: - name: empty-dir emptyDir: - sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.backup.emptyDir.sizeLimit }} - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} diff --git a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml index a64002a30a..493c2b2cfe 100644 --- a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml +++ b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml @@ -515,7 +515,7 @@ spec: volumes: - name: empty-dir emptyDir: - sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.hidden.emptyDir.sizeLimit }} - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} diff --git a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml index 089119c970..7de00e7925 100644 --- a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml +++ b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml @@ -513,7 +513,7 @@ spec: volumes: - name: empty-dir emptyDir: - sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.replicaSet.emptyDir.sizeLimit }} - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} diff --git a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml index 619533d8d0..817698beed 100644 --- a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml +++ b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml @@ -438,7 +438,7 @@ spec: volumes: - name: empty-dir emptyDir: - sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.standalone.emptyDir.sizeLimit }} - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} diff --git a/kubernetes/common/postgres-init/Chart.yaml b/kubernetes/common/postgres-init/Chart.yaml index 342854c71a..4951ed6359 100644 --- a/kubernetes/common/postgres-init/Chart.yaml +++ b/kubernetes/common/postgres-init/Chart.yaml @@ -1,5 +1,6 @@ # Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,16 +17,16 @@ apiVersion: v2 description: Chart for Postgres init job name: postgres-init -version: 13.0.2 +version: 13.0.3 dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' + repository: '@local' - name: readinessCheck version: ~13.x-0 repository: '@local' diff --git a/kubernetes/common/postgres-init/templates/job.yaml b/kubernetes/common/postgres-init/templates/job.yaml index cc7d410eb2..a2f7e12274 100644 --- a/kubernetes/common/postgres-init/templates/job.yaml +++ b/kubernetes/common/postgres-init/templates/job.yaml @@ -39,6 +39,7 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - command: @@ -82,6 +83,7 @@ spec: - mountPath: /config name: pgconf resources: {{ include "common.resources" . | nindent 10 }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} {{- if .Values.nodeSelector }} nodeSelector: @@ -98,6 +100,7 @@ spec: name: {{ include "common.fullname" . }} - name: pgconf emptyDir: + sizeLimit: 64Mi medium: Memory restartPolicy: Never {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/postgres-init/values.yaml b/kubernetes/common/postgres-init/values.yaml index cede7e0976..99be8354be 100644 --- a/kubernetes/common/postgres-init/values.yaml +++ b/kubernetes/common/postgres-init/values.yaml @@ -97,6 +97,10 @@ serviceAccount: roles: - read +securityContext: + user_id: 26 + group_id: 26 + readinessCheck: wait_for: services: diff --git a/kubernetes/common/postgres/Chart.yaml b/kubernetes/common/postgres/Chart.yaml index d1fb768cc5..562b69fd0e 100644 --- a/kubernetes/common/postgres/Chart.yaml +++ b/kubernetes/common/postgres/Chart.yaml @@ -22,7 +22,7 @@ version: 13.1.0 dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' + repository: '@local' diff --git a/kubernetes/common/readinessCheck/Chart.yaml b/kubernetes/common/readinessCheck/Chart.yaml index bd8adbfcea..c9134177c2 100644 --- a/kubernetes/common/readinessCheck/Chart.yaml +++ b/kubernetes/common/readinessCheck/Chart.yaml @@ -22,7 +22,7 @@ version: 13.1.1 dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' + repository: '@local' diff --git a/kubernetes/common/serviceAccount/Chart.yaml b/kubernetes/common/serviceAccount/Chart.yaml index 4e3eab3712..b691c40903 100644 --- a/kubernetes/common/serviceAccount/Chart.yaml +++ b/kubernetes/common/serviceAccount/Chart.yaml @@ -23,4 +23,4 @@ version: 13.0.1 dependencies: - name: common version: ~13.x-0 - repository: 'file://../common' + repository: '@local' diff --git a/kubernetes/common/timescaledb/Chart.yaml b/kubernetes/common/timescaledb/Chart.yaml index dd92121eb8..b0569eb662 100644 --- a/kubernetes/common/timescaledb/Chart.yaml +++ b/kubernetes/common/timescaledb/Chart.yaml @@ -33,4 +33,4 @@ dependencies: repository: '@local' - name: repositoryGenerator version: ~13.x-0 - repository: 'file://../repositoryGenerator' + repository: '@local' diff --git a/kubernetes/common/timescaledb/templates/statefulset.yaml b/kubernetes/common/timescaledb/templates/statefulset.yaml index bee389f191..1d161f3945 100644 --- a/kubernetes/common/timescaledb/templates/statefulset.yaml +++ b/kubernetes/common/timescaledb/templates/statefulset.yaml @@ -30,6 +30,22 @@ spec: spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} {{ include "common.podSecurityContext" . | indent 10 | trim}} + initContainers: + # we shouldn't need this but for unknown reason, it's fsGroup is not + # applied + - name: fix-permission + command: + - /bin/sh + args: + - -c + - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /var/lib/postgresql/data + image: {{ include "repositoryGenerator.image.busybox" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + securityContext: + runAsUser: 0 + volumeMounts: + - mountPath: /var/lib/postgresql/data + name: {{ include "common.fullname" . }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} @@ -78,9 +94,9 @@ spec: {{- end }} {{- with .Values.tolerations }} tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} volumeClaimTemplates: - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "data" "persistenceInfos" .Values.persistence "ignoreHelmChart" true) | indent 6 | trim }} -{{- end }} + {{- end }} |