From d2b2a3d446a92910fcf3be4c6a3b4254451f730c Mon Sep 17 00:00:00 2001 From: Fiete Ostkamp Date: Tue, 30 Apr 2024 13:08:03 +0200 Subject: [COMMON] Fix Kyverno policy violations in common/mongodb - set resourceLimit's for emptyDir volumes - use non-root group in mongo pods - make pod filesystem read-only - bump mongodb chart version from 14.12.2 to 14.12.3 - use new version in portal-ng, nbi, multicloud and dcae-tcagen2 Issue-ID: OOM-3293 Change-Id: Ife7445433337ac97a03f8cd22ad551e8745b9717 Signed-off-by: Fiete Ostkamp --- kubernetes/common/mongodb/templates/standalone/dep-sts.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'kubernetes/common/mongodb/templates/standalone/dep-sts.yaml') diff --git a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml index 29dd406bca..6f63f0be5b 100644 --- a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml +++ b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml @@ -437,7 +437,8 @@ spec: {{- end }} volumes: - name: empty-dir - emptyDir: {} + emptyDir: + sizeLimit: 64Mi - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} @@ -457,7 +458,8 @@ spec: {{- end }} {{- if .Values.tls.enabled }} - name: certs - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- if (include "mongodb.autoGenerateCerts" .) }} - name: certs-volume secret: @@ -481,8 +483,10 @@ spec: {{- if .Values.persistence.medium }} emptyDir: medium: {{ .Values.persistence.medium | quote }} + sizeLimit: 64Mi {{- else }} - emptyDir: {} + emptyDir: + sizeLimit: 64Mi {{- end }} {{- else if .Values.persistence.existingClaim }} - name: {{ .Values.persistence.name | default "datadir" }} -- cgit 1.2.3-korg