Skip to content

Commit

Permalink
fix: pod-level security context for datashield and blaze (#432)
Browse files Browse the repository at this point in the history 
* fix: pod-level security context for datashield and blaze

* docs update
  • Loading branch information
@chgl
chgl authored Dec 18, 2024
1 parent 728df2f commit 75a0fa9
Show file tree
Hide file tree
Showing 6 changed files with 14 additions and 12 deletions.
4 changes: 2 additions & 2 deletions charts/blaze/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ dependencies:
version: 2.28.0
deprecated: false
kubeVersion: ">= 1.19.0"
version: 0.5.39
version: 0.5.40
appVersion: "0.x"
annotations:
artifacthub.io/license: Apache-2.0
Expand All @@ -31,4 +31,4 @@ annotations:
# When using the list of objects option the valid supported kinds are
# added, changed, deprecated, removed, fixed and security.
- kind: changed
description: "Updated common to 2.28.0"
description: "Set default pod-level security context"
2 changes: 1 addition & 1 deletion charts/blaze/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ helm install blaze oci://ghcr.io/miracum/charts/blaze -n blaze
| persistence.size | string | `"8Gi"` | PVC Storage Request for volume |
| persistence.storageClass | string | `""` | PVC Storage Class for data volume If defined, storageClassName: <storageClass> If set to "-", storageClassName: "", which disables dynamic provisioning If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. |
| podAnnotations | object | `{}` | annotations to set on the main deployment's pod |
| podSecurityContext | object | `{}` | the pod security context |
| podSecurityContext | object | `{"fsGroup":1001,"runAsNonRoot":true}` | the pod security context |
| replicaCount | int | `1` | number of replicas. ⚠️ Blaze does not support running with multiple replicas. |
| resources | object | `{}` | configure the resource requests and limits |
| resourcesPreset | string | `"medium"` | set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). More information: <https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15> |
Expand Down
4 changes: 2 additions & 2 deletions charts/blaze/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,8 @@ podAnnotations: {}

# -- the pod security context
podSecurityContext:
{}
# fsGroup: 2000
runAsNonRoot: true
fsGroup: 1001

# @ignored
securityContext:
Expand Down
6 changes: 3 additions & 3 deletions charts/datashield/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ dependencies:
version: 2.28.0
deprecated: false
kubeVersion: ">= 1.19.0"
version: 0.7.51
version: 0.7.52
annotations:
artifacthub.io/license: Apache-2.0
artifacthub.io/containsSecurityUpdates: "false"
Expand All @@ -36,5 +36,5 @@ annotations:
artifacthub.io/changes: |-
# When using the list of objects option the valid supported kinds are
# added, changed, deprecated, removed, fixed and security.
- kind: changed
description: "Updated docker.io/bitnami/postgresql to 17.2.0-debian-12-r3"
- kind: fixed
description: "corrected fsGroup in opal pod-level security context"
4 changes: 2 additions & 2 deletions charts/datashield/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ helm install --create-namespace -n datashield datashield oci://ghcr.io/miracum/c
| opal.persistence.size | string | `"8Gi"` | PVC Storage Request for volume |
| opal.persistence.storageClass | string | `""` | PVC Storage Class for data volume If defined, storageClassName: <storageClass> If set to "-", storageClassName: "", which disables dynamic provisioning If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. |
| opal.podAnnotations | object | `{}` | annotations to set on the opal pod |
| opal.podSecurityContext | object | `{"fsGroup":100}` | the pod security context |
| opal.podSecurityContext | object | `{"fsGroup":10041,"runAsNonRoot":true}` | the pod security context |
| opal.replicaCount | int | `1` | number of replicas. Should be kept as 1 unless ReadWriteMany persistence is used |
| opal.resources | object | `{}` | resource limits and requests |
| opal.resourcesPreset | string | `"small"` | set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). More information: <https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15> |
Expand Down Expand Up @@ -97,7 +97,7 @@ helm install --create-namespace -n datashield datashield oci://ghcr.io/miracum/c
| rock.persistence.selector | object | `{}` | selector to match an existing Persistent Volume (this value is evaluated as a template) selector: matchLabels: app: my-app |
| rock.persistence.size | string | `"8Gi"` | PVC Storage Request for volume |
| rock.persistence.storageClass | string | `""` | PVC Storage Class for data volume If defined, storageClassName: <storageClass> If set to "-", storageClassName: "", which disables dynamic provisioning If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner. |
| rock.podSecurityContext | object | `{"fsGroup":101}` | pod security context |
| rock.podSecurityContext | object | `{"fsGroup":65534,"runAsNonRoot":true}` | pod security context |
| rock.replicaCount | int | `1` | number of rock instances in the cluster |
| rock.resources | object | `{}` | resource limits and requests |
| rock.resourcesPreset | string | `"small"` | set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). More information: <https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15> |
Expand Down
6 changes: 4 additions & 2 deletions charts/datashield/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,8 @@ opal:

# -- the pod security context
podSecurityContext:
fsGroup: 100
runAsNonRoot: true
fsGroup: 10041

# @ignored
securityContext:
Expand Down Expand Up @@ -348,7 +349,8 @@ rock:

# -- pod security context
podSecurityContext:
fsGroup: 101
runAsNonRoot: true
fsGroup: 65534

# -- pod node selector
nodeSelector: {}
Expand Down

0 comments on commit 75a0fa9

Please sign in to comment.