mirror of
https://github.com/minio/minio.git
synced 2024-12-25 06:35:56 -05:00
feat(helm) making securityContext consistent (#20546)
This commit is contained in:
parent
87804624fe
commit
e0aceca1b7
@ -1,7 +1,7 @@
|
||||
apiVersion: v1
|
||||
description: High Performance Object Storage
|
||||
name: minio
|
||||
version: 5.2.0
|
||||
version: 5.2.1
|
||||
appVersion: RELEASE.2024-04-18T19-09-19Z
|
||||
keywords:
|
||||
- minio
|
||||
|
@ -1,6 +1,6 @@
|
||||
{{- if eq .Values.service.type "ClusterIP" "NodePort" }}
|
||||
MinIO can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster:
|
||||
{{ template "minio.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
|
||||
{{ template "minio.fullname" . }}.{{ .Release.Namespace }}.{{ .Values.clusterDomain }}
|
||||
|
||||
To access MinIO from localhost, run the below commands:
|
||||
|
||||
|
@ -55,12 +55,7 @@ spec:
|
||||
{{- end }}
|
||||
{{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.securityContext.runAsUser }}
|
||||
runAsGroup: {{ .Values.securityContext.runAsGroup }}
|
||||
fsGroup: {{ .Values.securityContext.fsGroup }}
|
||||
{{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "20") }}
|
||||
fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }}
|
||||
{{- end }}
|
||||
{{ omit .Values.securityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
{{ if .Values.serviceAccount.create }}
|
||||
serviceAccountName: {{ .Values.serviceAccount.name }}
|
||||
@ -173,6 +168,11 @@ spec:
|
||||
value: {{ tpl $val $ | quote }}
|
||||
{{- end }}
|
||||
resources: {{- toYaml .Values.resources | nindent 12 }}
|
||||
{{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
|
||||
{{- with .Values.containerSecurityContext }}
|
||||
securityContext: {{ toYaml . | nindent 12}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.extraContainers }}
|
||||
{{- if eq (typeOf .) "string" }}
|
||||
{{- tpl . $ | nindent 8 }}
|
||||
|
@ -39,10 +39,7 @@ spec:
|
||||
tolerations: {{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.postJob.securityContext.enabled }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.postJob.securityContext.runAsUser }}
|
||||
runAsGroup: {{ .Values.postJob.securityContext.runAsGroup }}
|
||||
fsGroup: {{ .Values.postJob.securityContext.fsGroup }}
|
||||
securityContext: {{ omit .Values.postJob.securityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: etc-path
|
||||
@ -93,9 +90,9 @@ spec:
|
||||
- name: minio-make-policy
|
||||
image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
|
||||
{{- if .Values.makePolicyJob.securityContext.enabled }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.makePolicyJob.securityContext.runAsUser }}
|
||||
runAsGroup: {{ .Values.makePolicyJob.securityContext.runAsGroup }}
|
||||
{{- with .Values.makePolicyJob.containerSecurityContext }}
|
||||
securityContext: {{ toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
|
||||
{{- if .Values.makePolicyJob.exitCommand }}
|
||||
@ -127,9 +124,9 @@ spec:
|
||||
- name: minio-make-bucket
|
||||
image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
|
||||
{{- if .Values.makeBucketJob.securityContext.enabled }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.makeBucketJob.securityContext.runAsUser }}
|
||||
runAsGroup: {{ .Values.makeBucketJob.securityContext.runAsGroup }}
|
||||
{{- with .Values.makeBucketJob.containerSecurityContext }}
|
||||
securityContext: {{ toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
|
||||
{{- if .Values.makeBucketJob.exitCommand }}
|
||||
@ -160,9 +157,9 @@ spec:
|
||||
- name: minio-make-user
|
||||
image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
|
||||
{{- if .Values.makeUserJob.securityContext.enabled }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.makeUserJob.securityContext.runAsUser }}
|
||||
runAsGroup: {{ .Values.makeUserJob.securityContext.runAsGroup }}
|
||||
{{- with .Values.makeUserJob.containerSecurityContext }}
|
||||
securityContext: {{ toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
|
||||
{{- if .Values.makeUserJob.exitCommand }}
|
||||
@ -193,9 +190,9 @@ spec:
|
||||
- name: minio-custom-command
|
||||
image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
|
||||
{{- if .Values.customCommandJob.securityContext.enabled }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.customCommandJob.securityContext.runAsUser }}
|
||||
runAsGroup: {{ .Values.customCommandJob.securityContext.runAsGroup }}
|
||||
{{- with .Values.customCommandJob.containerSecurityContext }}
|
||||
securityContext: {{ toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
|
||||
{{- if .Values.customCommandJob.exitCommand }}
|
||||
@ -229,9 +226,9 @@ spec:
|
||||
- name: minio-make-svcacct
|
||||
image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
|
||||
{{- if .Values.makeServiceAccountJob.securityContext.enabled }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.makeServiceAccountJob.securityContext.runAsUser }}
|
||||
runAsGroup: {{ .Values.makeServiceAccountJob.securityContext.runAsGroup }}
|
||||
{{- with .Values.makeServiceAccountJob.containerSecurityContext }}
|
||||
securityContext: {{ toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
|
||||
{{- if .Values.makeServiceAccountJob.exitCommand }}
|
||||
|
@ -83,12 +83,7 @@ spec:
|
||||
{{- end }}
|
||||
{{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.securityContext.runAsUser }}
|
||||
runAsGroup: {{ .Values.securityContext.runAsGroup }}
|
||||
fsGroup: {{ .Values.securityContext.fsGroup }}
|
||||
{{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "20") }}
|
||||
fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }}
|
||||
{{- end }}
|
||||
{{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
serviceAccountName: {{ .Values.serviceAccount.name }}
|
||||
@ -192,8 +187,9 @@ spec:
|
||||
{{- end }}
|
||||
resources: {{- toYaml .Values.resources | nindent 12 }}
|
||||
{{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default false }}
|
||||
{{- with .Values.containerSecurityContext }}
|
||||
securityContext: {{ toYaml . | nindent 12}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.extraContainers }}
|
||||
{{- if eq (typeOf .) "string" }}
|
||||
|
@ -275,6 +275,8 @@ securityContext:
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: "OnRootMismatch"
|
||||
|
||||
containerSecurityContext:
|
||||
readOnlyRootFilesystem: false
|
||||
|
||||
# Additational pod annotations
|
||||
|
Loading…
Reference in New Issue
Block a user