From dbabc4be8ab3a55d76fab88dab356d43e3d59e19 Mon Sep 17 00:00:00 2001
From: Andreas Geissler <andreas-geissler@telekom.de>
Date: Fri, 2 Aug 2024 14:18:07 +0200
Subject: [COMMON] Synchronize common charts

- solve actual findings during tests with kyverno policies
- synchronize headers

Issue-ID: OOM-3288
Issue-ID: OOM-3296

Change-Id: Ia7e7daa8864069493e09dd6511825aa939c5eeaf
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
---
 kubernetes/common/mariadb-galera/Chart.yaml               | 10 +++++-----
 .../common/mariadb-galera/templates/statefulset.yaml      | 15 ++++++++++++++-
 kubernetes/common/mariadb-galera/values.yaml              | 13 +++++++++++++
 3 files changed, 32 insertions(+), 6 deletions(-)

(limited to 'kubernetes/common/mariadb-galera')

diff --git a/kubernetes/common/mariadb-galera/Chart.yaml b/kubernetes/common/mariadb-galera/Chart.yaml
index c5bb0aaf94..d97aa0ecea 100644
--- a/kubernetes/common/mariadb-galera/Chart.yaml
+++ b/kubernetes/common/mariadb-galera/Chart.yaml
@@ -18,7 +18,7 @@
 apiVersion: v2
 description: Chart for MariaDB Galera cluster
 name: mariadb-galera
-version: 13.2.0
+version: 13.2.1
 keywords:
   - mariadb
   - mysql
@@ -30,14 +30,14 @@ keywords:
 dependencies:
   - name: common
     version: ~13.x-0
-    repository: 'file://../common'
+    repository: '@local'
   - name: readinessCheck
     version: ~13.x-0
-    repository: 'file://../readinessCheck'
+    repository: '@local'
   - name: repositoryGenerator
     version: ~13.x-0
-    repository: 'file://../repositoryGenerator'
+    repository: '@local'
   - name: serviceAccount
     version: ~13.x-0
-    repository: 'file://../serviceAccount'
+    repository: '@local'
     condition: global.mariadbGalera.enableServiceAccount
\ No newline at end of file
diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
index f9b4de4b88..2b8951979d 100644
--- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml
+++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml
@@ -55,7 +55,19 @@ spec:
           image: {{ include "repositoryGenerator.image.busybox" . }}
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+              - CAP_NET_RAW
+              add:
+              - CHOWN
+              - SYS_CHROOT
+            runAsGroup: {{ .Values.securityContext.group_id }}
+            readOnlyRootFilesystem: false
             runAsUser: 0
+            seccompProfile:
+              type: RuntimeDefault
           volumeMounts:
             - name: previous-boot
               mountPath: /bootstrap
@@ -169,6 +181,7 @@ spec:
             successThreshold: {{ .Values.startupProbe.successThreshold }}
             failureThreshold: {{ .Values.startupProbe.failureThreshold }}
           {{- end }}
+          {{ include "common.securityContext" . | indent 10 | trim }}
           resources: {{ include "common.resources" . | nindent 12 }}
           volumeMounts:
             - name: previous-boot
@@ -218,7 +231,7 @@ spec:
             timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }}
             successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }}
             failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }}
-          {{ include "common.containerSecurityContext" . | indent 10 | trim }}
+          securityContext: {{- toYaml .Values.metrics.securityContext | nindent 12 }}
           resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
         {{- end }}
       {{- include "common.imagePullSecrets" . | nindent 6 }}
diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml
index 47264f971c..d8303dd5fd 100644
--- a/kubernetes/common/mariadb-galera/values.yaml
+++ b/kubernetes/common/mariadb-galera/values.yaml
@@ -659,6 +659,19 @@ metrics:
   ##   - --collect.binlog_size
   ##
   extraFlags: []
+  securityContext:
+    readOnlyRootFilesystem: true
+    privileged: false
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+        - CAP_NET_RAW
+    runAsGroup: 10001
+    runAsNonRoot: true
+    runAsUser: 10001
+    seccompProfile:
+      type: RuntimeDefault
   ## MySQL Prometheus exporter containers' resource requests and limits
   ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
   ##
-- 
cgit 1.2.3-korg