From e0aceca1b7704c0ef1433279dadb8691c4d08b62 Mon Sep 17 00:00:00 2001 From: Yannis Mazzer Date: Thu, 10 Oct 2024 15:48:31 +0000 Subject: [PATCH] feat(helm) making securityContext consistent (#20546) --- helm/minio/Chart.yaml | 2 +- helm/minio/templates/NOTES.txt | 2 +- helm/minio/templates/deployment.yaml | 12 ++++----- helm/minio/templates/post-job.yaml | 35 ++++++++++++--------------- helm/minio/templates/statefulset.yaml | 12 +++------ helm/minio/values.yaml | 2 ++ 6 files changed, 30 insertions(+), 35 deletions(-) diff --git a/helm/minio/Chart.yaml b/helm/minio/Chart.yaml index 64c375ae6..131df9de8 100644 --- a/helm/minio/Chart.yaml +++ b/helm/minio/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: High Performance Object Storage name: minio -version: 5.2.0 +version: 5.2.1 appVersion: RELEASE.2024-04-18T19-09-19Z keywords: - minio diff --git a/helm/minio/templates/NOTES.txt b/helm/minio/templates/NOTES.txt index 7051b1e62..ba51b4c6c 100644 --- a/helm/minio/templates/NOTES.txt +++ b/helm/minio/templates/NOTES.txt @@ -1,6 +1,6 @@ {{- if eq .Values.service.type "ClusterIP" "NodePort" }} MinIO can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster: -{{ template "minio.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local +{{ template "minio.fullname" . }}.{{ .Release.Namespace }}.{{ .Values.clusterDomain }} To access MinIO from localhost, run the below commands: diff --git a/helm/minio/templates/deployment.yaml b/helm/minio/templates/deployment.yaml index d7b405aef..4c57010fd 100644 --- a/helm/minio/templates/deployment.yaml +++ b/helm/minio/templates/deployment.yaml @@ -55,12 +55,7 @@ spec: {{- end }} {{- if and .Values.securityContext.enabled .Values.persistence.enabled }} securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - runAsGroup: {{ .Values.securityContext.runAsGroup }} - fsGroup: {{ .Values.securityContext.fsGroup }} - {{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "20") }} - fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }} - {{- end }} + {{ omit .Values.securityContext "enabled" | toYaml | nindent 8 }} {{- end }} {{ if .Values.serviceAccount.create }} serviceAccountName: {{ .Values.serviceAccount.name }} @@ -173,6 +168,11 @@ spec: value: {{ tpl $val $ | quote }} {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} + {{- if and .Values.securityContext.enabled .Values.persistence.enabled }} + {{- with .Values.containerSecurityContext }} + securityContext: {{ toYaml . | nindent 12}} + {{- end }} + {{- end }} {{- with .Values.extraContainers }} {{- if eq (typeOf .) "string" }} {{- tpl . $ | nindent 8 }} diff --git a/helm/minio/templates/post-job.yaml b/helm/minio/templates/post-job.yaml index 899fd81d6..955d6558c 100644 --- a/helm/minio/templates/post-job.yaml +++ b/helm/minio/templates/post-job.yaml @@ -39,10 +39,7 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} {{- if .Values.postJob.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.postJob.securityContext.runAsUser }} - runAsGroup: {{ .Values.postJob.securityContext.runAsGroup }} - fsGroup: {{ .Values.postJob.securityContext.fsGroup }} + securityContext: {{ omit .Values.postJob.securityContext "enabled" | toYaml | nindent 12 }} {{- end }} volumes: - name: etc-path @@ -93,9 +90,9 @@ spec: - name: minio-make-policy image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" {{- if .Values.makePolicyJob.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.makePolicyJob.securityContext.runAsUser }} - runAsGroup: {{ .Values.makePolicyJob.securityContext.runAsGroup }} + {{- with .Values.makePolicyJob.containerSecurityContext }} + securityContext: {{ toYaml . | nindent 12 }} + {{- end }} {{- end }} imagePullPolicy: {{ .Values.mcImage.pullPolicy }} {{- if .Values.makePolicyJob.exitCommand }} @@ -127,9 +124,9 @@ spec: - name: minio-make-bucket image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" {{- if .Values.makeBucketJob.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.makeBucketJob.securityContext.runAsUser }} - runAsGroup: {{ .Values.makeBucketJob.securityContext.runAsGroup }} + {{- with .Values.makeBucketJob.containerSecurityContext }} + securityContext: {{ toYaml . | nindent 12 }} + {{- end }} {{- end }} imagePullPolicy: {{ .Values.mcImage.pullPolicy }} {{- if .Values.makeBucketJob.exitCommand }} @@ -160,9 +157,9 @@ spec: - name: minio-make-user image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" {{- if .Values.makeUserJob.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.makeUserJob.securityContext.runAsUser }} - runAsGroup: {{ .Values.makeUserJob.securityContext.runAsGroup }} + {{- with .Values.makeUserJob.containerSecurityContext }} + securityContext: {{ toYaml . | nindent 12 }} + {{- end }} {{- end }} imagePullPolicy: {{ .Values.mcImage.pullPolicy }} {{- if .Values.makeUserJob.exitCommand }} @@ -193,9 +190,9 @@ spec: - name: minio-custom-command image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" {{- if .Values.customCommandJob.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.customCommandJob.securityContext.runAsUser }} - runAsGroup: {{ .Values.customCommandJob.securityContext.runAsGroup }} + {{- with .Values.customCommandJob.containerSecurityContext }} + securityContext: {{ toYaml . | nindent 12 }} + {{- end }} {{- end }} imagePullPolicy: {{ .Values.mcImage.pullPolicy }} {{- if .Values.customCommandJob.exitCommand }} @@ -229,9 +226,9 @@ spec: - name: minio-make-svcacct image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}" {{- if .Values.makeServiceAccountJob.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.makeServiceAccountJob.securityContext.runAsUser }} - runAsGroup: {{ .Values.makeServiceAccountJob.securityContext.runAsGroup }} + {{- with .Values.makeServiceAccountJob.containerSecurityContext }} + securityContext: {{ toYaml . | nindent 12 }} + {{- end }} {{- end }} imagePullPolicy: {{ .Values.mcImage.pullPolicy }} {{- if .Values.makeServiceAccountJob.exitCommand }} diff --git a/helm/minio/templates/statefulset.yaml b/helm/minio/templates/statefulset.yaml index 051f17be2..67f497f73 100644 --- a/helm/minio/templates/statefulset.yaml +++ b/helm/minio/templates/statefulset.yaml @@ -83,12 +83,7 @@ spec: {{- end }} {{- if and .Values.securityContext.enabled .Values.persistence.enabled }} securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - runAsGroup: {{ .Values.securityContext.runAsGroup }} - fsGroup: {{ .Values.securityContext.fsGroup }} - {{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "20") }} - fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }} - {{- end }} + {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} {{- end }} {{- if .Values.serviceAccount.create }} serviceAccountName: {{ .Values.serviceAccount.name }} @@ -192,8 +187,9 @@ spec: {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} {{- if and .Values.securityContext.enabled .Values.persistence.enabled }} - securityContext: - readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default false }} + {{- with .Values.containerSecurityContext }} + securityContext: {{ toYaml . | nindent 12}} + {{- end }} {{- end }} {{- with .Values.extraContainers }} {{- if eq (typeOf .) "string" }} diff --git a/helm/minio/values.yaml b/helm/minio/values.yaml index f8e644bce..8eb9863f6 100644 --- a/helm/minio/values.yaml +++ b/helm/minio/values.yaml @@ -275,6 +275,8 @@ securityContext: runAsGroup: 1000 fsGroup: 1000 fsGroupChangePolicy: "OnRootMismatch" + +containerSecurityContext: readOnlyRootFilesystem: false # Additational pod annotations