Bgd 5200 non root fluentbit sidecars (#210)

* [charts/bigdata-notebook-service] use non-root fluent-bit container image * [charts/bigdata-notebook-workspace] use non-root fluent-bit container image * [charts/bigdata-notebook-storage-server] use non-root fluent-bit container image * [charts/bigdata-operator] use non-root fluent-bit container image * [charts/bigdata-proxy] use non-root fluent-bit container image * [charts/bigdata-spark-watcher] use non-root fluent-bit container image * [charts/spark-operator] use non-root fluent-bit container image
spotinst · May 30, 2024 · 3478765 · 3478765
1 parent 9c7aca0
commit 3478765
Show file tree

Hide file tree

Showing 21 changed files with 70 additions and 57 deletions.
diff --git a/charts/bigdata-notebook-service-storage-server/Chart.yaml b/charts/bigdata-notebook-service-storage-server/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: bigdata-notebook-service-storage-server
 description: A Helm chart for the Spot Big Data Notebook Service Storage Server
 type: application
-version: 0.1.13
+version: 0.1.14
 appVersion: "1.2.0-ofas"
 home: https://github.com/spotinst/charts
 icon: https://docs.spot.io/_media/images/spot_mark.png

diff --git a/...igdata-notebook-service-storage-server/templates/notebook-service-storage-deployment.yaml b/...igdata-notebook-service-storage-server/templates/notebook-service-storage-deployment.yaml
@@ -41,6 +41,8 @@ spec:
     {{- if .Values.telemetry.enabled }}
       - name: fluentbit
         image: "{{ .Values.telemetry.fluentbit.image.repository }}:{{ .Values.telemetry.fluentbit.image.tag }}"
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 10 }}
         ports:
           - name: http
             containerPort: 2020
@@ -69,16 +71,16 @@ spec:
         resources: {}
         volumeMounts:
           - name: telementry-global-config
-            mountPath: /fluent-bit/etc/fluent-bit.conf
+            mountPath: /opt/bitnami/fluent-bit/conf/fluent-bit.conf
             subPath: fluent-bit.conf
           - name: telementry-custom-config
-            mountPath: /fluent-bit/etc/custom-filters.conf
+            mountPath: /opt/bitnami/fluent-bit/conf/custom-filters.conf
             subPath: custom-filters.conf
           - name: telementry-global-config
-            mountPath: /fluent-bit/etc/parsers.conf
+            mountPath: /opt/bitnami/fluent-bit/conf/parsers.conf
             subPath: parsers.conf
           - name: telementry-custom-config
-            mountPath: /fluent-bit/etc/metrics-collection.conf
+            mountPath: /opt/bitnami/fluent-bit/conf/metrics-collection.conf
             subPath: metrics-collection.conf
           - name: varlog
             readOnly: true
@@ -87,7 +89,7 @@ spec:
             readOnly: true
             mountPath: /var/lib/docker/containers
           - name: telemetry-aws-credentials
-            mountPath: /root/.aws
+            mountPath: /.aws
       volumes:
         - name: telementry-global-config
           configMap:

diff --git a/charts/bigdata-notebook-service-storage-server/values.yaml b/charts/bigdata-notebook-service-storage-server/values.yaml
@@ -41,7 +41,7 @@ telemetry:
   fluentbit:
     image:
       repository: public.ecr.aws/ocean-spark/fluent-bit
-      tag: 2.0.10
+      tag: 3.0.5
 
 nodeSelector: {}
 

diff --git a/charts/bigdata-notebook-service/Chart.yaml b/charts/bigdata-notebook-service/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: bigdata-notebook-service
 description: A Helm chart for the Spot Big Data Notebook Service
 type: application
-version: 0.4.0
+version: 0.4.1
 appVersion: 0.83.0
 home: https://github.com/spotinst/charts
 icon: https://docs.spot.io/_media/images/spot_mark.png

diff --git a/charts/bigdata-notebook-service/templates/deployment.yaml b/charts/bigdata-notebook-service/templates/deployment.yaml
@@ -128,6 +128,8 @@ spec:
       {{- if .Values.telemetry.enabled }}
         - name: fluentbit
           image: "{{ .Values.telemetry.fluentbit.image.repository }}:{{ .Values.telemetry.fluentbit.image.tag }}"
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
           ports:
             - name: http
               containerPort: 2020
@@ -168,16 +170,16 @@ spec:
           resources: {}
           volumeMounts:
             - name: telementry-global-config
-              mountPath: /fluent-bit/etc/fluent-bit.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/fluent-bit.conf
               subPath: fluent-bit.conf
             - name: telementry-custom-config
-              mountPath: /fluent-bit/etc/custom-filters.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/custom-filters.conf
               subPath: custom-filters.conf
             - name: telementry-global-config
-              mountPath: /fluent-bit/etc/parsers.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/parsers.conf
               subPath: parsers.conf
             - name: telementry-custom-config
-              mountPath: /fluent-bit/etc/metrics-collection.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/metrics-collection.conf
               subPath: metrics-collection.conf
             - name: varlog
               readOnly: true
@@ -186,7 +188,7 @@ spec:
               readOnly: true
               mountPath: /var/lib/docker/containers
             - name: telemetry-aws-credentials
-              mountPath: /root/.aws
+              mountPath: /.aws
       {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:

diff --git a/charts/bigdata-notebook-service/values.yaml b/charts/bigdata-notebook-service/values.yaml
@@ -55,11 +55,10 @@ podLabels:
   spotinst.io/restrict-scale-down: "true"
   bigdata.spot.io/component: "bigdata-notebook-service"
 
-podSecurityContext:
-  fsGroup: 1000
-  runAsNonRoot: true
+podSecurityContext: {}
 
-securityContext: {}
+securityContext:
+  runAsNonRoot: true
 
 livenessProbe:
   initialDelaySeconds: 10
@@ -79,7 +78,7 @@ telemetry:
   fluentbit:
     image:
       repository: public.ecr.aws/ocean-spark/fluent-bit
-      tag: 2.0.10
+      tag: 3.0.5
 
 nodeSelector: {}
 

diff --git a/charts/bigdata-notebook-workspace/Chart.yaml b/charts/bigdata-notebook-workspace/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: bigdata-notebook-workspace
 description: A Helm chart for the Spot Big Data Notebook Workspace
 type: application
-version: 0.0.13
+version: 0.0.14
 appVersion: 4.1.8-ofas-704f999
 home: https://github.com/spotinst/charts
 icon: https://docs.spot.io/_media/images/spot_mark.png

diff --git a/charts/bigdata-notebook-workspace/templates/deployment.yaml b/charts/bigdata-notebook-workspace/templates/deployment.yaml
@@ -92,6 +92,8 @@ spec:
         {{- if .Values.telemetry.enabled }}
         - name: fluentbit
           image: "{{ .Values.telemetry.fluentbit.image.repository }}:{{ .Values.telemetry.fluentbit.image.tag }}"
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
           ports:
             - name: http
               containerPort: 2020
@@ -119,16 +121,16 @@ spec:
                   key: accountId
           volumeMounts:
             - name: telementry-global-config
-              mountPath: /fluent-bit/etc/fluent-bit.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/fluent-bit.conf
               subPath: fluent-bit.conf
             - name: telementry-custom-config
-              mountPath: /fluent-bit/etc/custom-filters.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/custom-filters.conf
               subPath: custom-filters.conf
             - name: telementry-global-config
-              mountPath: /fluent-bit/etc/parsers.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/parsers.conf
               subPath: parsers.conf
             - name: telementry-custom-config
-              mountPath: /fluent-bit/etc/metrics-collection.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/metrics-collection.conf
               subPath: metrics-collection.conf
             - name: varlog
               readOnly: true
@@ -137,7 +139,7 @@ spec:
               readOnly: true
               mountPath: /var/lib/docker/containers
             - name: telemetry-aws-credentials
-              mountPath: /root/.aws
+              mountPath: /.aws
       {{- end }}
       restartPolicy: {{ .Values.restartPolicy }}
       {{- if or .Values.pvc.create .Values.telemetry.enabled }}

diff --git a/charts/bigdata-notebook-workspace/values.yaml b/charts/bigdata-notebook-workspace/values.yaml
@@ -35,7 +35,7 @@ telemetry:
   fluentbit:
     image:
       repository: public.ecr.aws/ocean-spark/fluent-bit
-      tag: 2.0.10
+      tag: 3.0.5
 
 podLabels:
   bigdata.spot.io/component: "bigdata-notebook-workspace"

diff --git a/charts/bigdata-operator/Chart.yaml b/charts/bigdata-operator/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: bigdata-operator
 description: Spot Ocean BigData Operator
 type: application
-version: 0.4.17
+version: 0.4.18
 appVersion: 0.4.15
 home: https://github.com/spotinst/charts
 icon: https://docs.spot.io/_media/images/spot_mark.png

diff --git a/charts/bigdata-operator/templates/deployment.yaml b/charts/bigdata-operator/templates/deployment.yaml
@@ -82,6 +82,8 @@ spec:
             failureThreshold: 3
         - name: fluentbit
           image: "{{ .Values.telemetry.fluentbit.image.repository }}:{{ .Values.telemetry.fluentbit.image.tag }}"
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
           ports:
             - name: http
               containerPort: 2020
@@ -122,16 +124,16 @@ spec:
           resources: {}
           volumeMounts:
             - name: telementry-global-config
-              mountPath: /fluent-bit/etc/fluent-bit.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/fluent-bit.conf
               subPath: fluent-bit.conf
-            - name: telementry-global-config
-              mountPath: /fluent-bit/etc/parsers.conf
-              subPath: parsers.conf
             - name: telementry-custom-config
-              mountPath: /fluent-bit/etc/custom-filters.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/custom-filters.conf
               subPath: custom-filters.conf
+            - name: telementry-global-config
+              mountPath: /opt/bitnami/fluent-bit/conf/parsers.conf
+              subPath: parsers.conf
             - name: telementry-custom-config
-              mountPath: /fluent-bit/etc/metrics-collection.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/metrics-collection.conf
               subPath: metrics-collection.conf
             - name: varlog
               readOnly: true
@@ -140,7 +142,7 @@ spec:
               readOnly: true
               mountPath: /var/lib/docker/containers
             - name: telemetry-aws-credentials
-              mountPath: /root/.aws
+              mountPath: /.aws
       volumes:
         - name: telementry-global-config
           configMap:

diff --git a/charts/bigdata-operator/values.yaml b/charts/bigdata-operator/values.yaml
@@ -49,7 +49,7 @@ telemetry:
   fluentbit:
     image:
       repository: public.ecr.aws/ocean-spark/fluent-bit
-      tag: 2.0.10
+      tag: 3.0.5
 
 resources:
   limits:

diff --git a/charts/bigdata-proxy/Chart.yaml b/charts/bigdata-proxy/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: bigdata-proxy
 description: A Helm chart for the Spot Big Data Proxy
 type: application
-version: 0.4.11
+version: 0.4.12
 appVersion: 0.5.4
 home: https://github.com/spotinst/charts
 icon: https://docs.spot.io/_media/images/spot_mark.png

diff --git a/charts/bigdata-proxy/templates/deployment.yaml b/charts/bigdata-proxy/templates/deployment.yaml
@@ -56,6 +56,8 @@ spec:
     {{- if .Values.telemetry.enabled }}
         - name: fluentbit
           image: "{{ .Values.telemetry.fluentbit.image.repository }}:{{ .Values.telemetry.fluentbit.image.tag }}"
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
           ports:
             - name: http
               containerPort: 2020
@@ -84,16 +86,16 @@ spec:
           resources: {}
           volumeMounts:
             - name: telementry-global-config
-              mountPath: /fluent-bit/etc/fluent-bit.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/fluent-bit.conf
               subPath: fluent-bit.conf
-            - name: telementry-global-config
-              mountPath: /fluent-bit/etc/parsers.conf
-              subPath: parsers.conf
             - name: telementry-custom-config
-              mountPath: /fluent-bit/etc/custom-filters.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/custom-filters.conf
               subPath: custom-filters.conf
+            - name: telementry-global-config
+              mountPath: /opt/bitnami/fluent-bit/conf/parsers.conf
+              subPath: parsers.conf
             - name: telementry-custom-config
-              mountPath: /fluent-bit/etc/metrics-collection.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/metrics-collection.conf
               subPath: metrics-collection.conf
             - name: varlog
               readOnly: true
@@ -102,7 +104,7 @@ spec:
               readOnly: true
               mountPath: /var/lib/docker/containers
             - name: telemetry-aws-credentials
-              mountPath: /root/.aws
+              mountPath: /.aws
       volumes:
         - name: telementry-global-config
           configMap:

diff --git a/charts/bigdata-proxy/values.yaml b/charts/bigdata-proxy/values.yaml
@@ -68,7 +68,7 @@ telemetry:
   fluentbit:
     image:
       repository: public.ecr.aws/ocean-spark/fluent-bit
-      tag: 2.0.10
+      tag: 3.0.5
 
 nodeSelector: {}
 

diff --git a/charts/bigdata-spark-watcher/Chart.yaml b/charts/bigdata-spark-watcher/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: bigdata-spark-watcher
 description: A Helm chart for the Spot Big Data Spark Watcher
 type: application
-version: 0.5.15
+version: 0.5.16
 appVersion: 0.5.0
 home: https://github.com/spotinst/charts
 icon: https://docs.spot.io/_media/images/spot_mark.png

diff --git a/charts/bigdata-spark-watcher/templates/deployment.yaml b/charts/bigdata-spark-watcher/templates/deployment.yaml
@@ -87,6 +87,8 @@ spec:
     {{- if .Values.telemetry.enabled }}
         - name: fluentbit
           image: "{{ .Values.telemetry.fluentbit.image.repository }}:{{ .Values.telemetry.fluentbit.image.tag }}"
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
           ports:
             - name: http
               containerPort: 2020
@@ -127,16 +129,16 @@ spec:
           resources: {}
           volumeMounts:
             - name: telementry-global-config
-              mountPath: /fluent-bit/etc/fluent-bit.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/fluent-bit.conf
               subPath: fluent-bit.conf
             - name: telementry-custom-config
-              mountPath: /fluent-bit/etc/custom-filters.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/custom-filters.conf
               subPath: custom-filters.conf
             - name: telementry-global-config
-              mountPath: /fluent-bit/etc/parsers.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/parsers.conf
               subPath: parsers.conf
             - name: telementry-custom-config
-              mountPath: /fluent-bit/etc/metrics-collection.conf
+              mountPath: /opt/bitnami/fluent-bit/conf/metrics-collection.conf
               subPath: metrics-collection.conf
             - name: varlog
               readOnly: true
@@ -145,7 +147,7 @@ spec:
               readOnly: true
               mountPath: /var/lib/docker/containers
             - name: telemetry-aws-credentials
-              mountPath: /root/.aws
+              mountPath: /.aws
     {{- end }}
       {{- if or .Values.telemetry.enabled .Values.k8sEventLogCollectorEnabled }}
       volumes:

diff --git a/charts/bigdata-spark-watcher/values.yaml b/charts/bigdata-spark-watcher/values.yaml
@@ -90,7 +90,7 @@ telemetry:
   fluentbit:
     image:
       repository: public.ecr.aws/ocean-spark/fluent-bit
-      tag: 2.0.10
+      tag: 3.0.5
 
 nodeSelector: {}
 

diff --git a/charts/spark-operator/Chart.yaml b/charts/spark-operator/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: Spark Operator (b/g part)
 name: spark-operator
-version: 0.1.30
+version: 0.1.31
 appVersion: v1beta2-1.3.4-3.1.1
 dependencies:
   - name: spark-operator