Skip to content

Commit 2198b3f

Browse files
javsalgarjavsalgar
authoredJan 17, 2024
[bitnami/redis] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essential security fields (#22184)
* [bitnami/redis] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essential security fields Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * chore: 🔧 Bump chart version Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
1 parent f2d0ab5 commit 2198b3f

File tree

3 files changed

+55
-22
lines changed

3 files changed

+55
-22
lines changed
 

‎bitnami/redis/Chart.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -34,4 +34,4 @@ maintainers:
3434
name: redis
3535
sources:
3636
- https://github.com/bitnami/charts/tree/main/bitnami/redis
37-
version: 18.6.4
37+
version: 18.7.0

‎bitnami/redis/README.md

+32-21
Original file line numberDiff line numberDiff line change
@@ -163,8 +163,12 @@ The command removes all the Kubernetes components associated with the chart and
163163
| `master.resources.limits` | The resources limits for the Redis&reg; master containers | `{}` |
164164
| `master.resources.requests` | The requested resources for the Redis&reg; master containers | `{}` |
165165
| `master.podSecurityContext.enabled` | Enabled Redis&reg; master pods' Security Context | `true` |
166+
| `master.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
167+
| `master.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
168+
| `master.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
166169
| `master.podSecurityContext.fsGroup` | Set Redis&reg; master pod's Security Context fsGroup | `1001` |
167170
| `master.containerSecurityContext.enabled` | Enabled Redis&reg; master containers' Security Context | `true` |
171+
| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
168172
| `master.containerSecurityContext.runAsUser` | Set Redis&reg; master containers' Security Context runAsUser | `1001` |
169173
| `master.containerSecurityContext.runAsGroup` | Set Redis&reg; master containers' Security Context runAsGroup | `0` |
170174
| `master.containerSecurityContext.runAsNonRoot` | Set Redis&reg; master containers' Security Context runAsNonRoot | `true` |
@@ -277,8 +281,12 @@ The command removes all the Kubernetes components associated with the chart and
277281
| `replica.resources.limits` | The resources limits for the Redis&reg; replicas containers | `{}` |
278282
| `replica.resources.requests` | The requested resources for the Redis&reg; replicas containers | `{}` |
279283
| `replica.podSecurityContext.enabled` | Enabled Redis&reg; replicas pods' Security Context | `true` |
284+
| `replica.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
285+
| `replica.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
286+
| `replica.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
280287
| `replica.podSecurityContext.fsGroup` | Set Redis&reg; replicas pod's Security Context fsGroup | `1001` |
281288
| `replica.containerSecurityContext.enabled` | Enabled Redis&reg; replicas containers' Security Context | `true` |
289+
| `replica.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
282290
| `replica.containerSecurityContext.runAsUser` | Set Redis&reg; replicas containers' Security Context runAsUser | `1001` |
283291
| `replica.containerSecurityContext.runAsGroup` | Set Redis&reg; replicas containers' Security Context runAsGroup | `0` |
284292
| `replica.containerSecurityContext.runAsNonRoot` | Set Redis&reg; replicas containers' Security Context runAsNonRoot | `true` |
@@ -420,6 +428,7 @@ The command removes all the Kubernetes components associated with the chart and
420428
| `sentinel.resources.limits` | The resources limits for the Redis&reg; Sentinel containers | `{}` |
421429
| `sentinel.resources.requests` | The requested resources for the Redis&reg; Sentinel containers | `{}` |
422430
| `sentinel.containerSecurityContext.enabled` | Enabled Redis&reg; Sentinel containers' Security Context | `true` |
431+
| `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
423432
| `sentinel.containerSecurityContext.runAsUser` | Set Redis&reg; Sentinel containers' Security Context runAsUser | `1001` |
424433
| `sentinel.containerSecurityContext.runAsGroup` | Set Redis&reg; Sentinel containers' Security Context runAsGroup | `0` |
425434
| `sentinel.containerSecurityContext.runAsNonRoot` | Set Redis&reg; Sentinel containers' Security Context runAsNonRoot | `true` |
@@ -517,6 +526,7 @@ The command removes all the Kubernetes components associated with the chart and
517526
| `metrics.extraArgs` | Extra arguments for Redis&reg; exporter, for example: | `{}` |
518527
| `metrics.extraEnvVars` | Array with extra environment variables to add to Redis&reg; exporter | `[]` |
519528
| `metrics.containerSecurityContext.enabled` | Enabled Redis&reg; exporter containers' Security Context | `true` |
529+
| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
520530
| `metrics.containerSecurityContext.runAsUser` | Set Redis&reg; exporter containers' Security Context runAsUser | `1001` |
521531
| `metrics.containerSecurityContext.runAsGroup` | Set Redis&reg; exporter containers' Security Context runAsGroup | `0` |
522532
| `metrics.containerSecurityContext.runAsNonRoot` | Set Redis&reg; exporter containers' Security Context runAsNonRoot | `true` |
@@ -567,27 +577,28 @@ The command removes all the Kubernetes components associated with the chart and
567577

568578
### Init Container Parameters
569579

570-
| Name | Description | Value |
571-
| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | -------------------------- |
572-
| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` |
573-
| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` |
574-
| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` |
575-
| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
576-
| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` |
577-
| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
578-
| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` |
579-
| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` |
580-
| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` |
581-
| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` |
582-
| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` |
583-
| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` |
584-
| `sysctl.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
585-
| `sysctl.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` |
586-
| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
587-
| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` |
588-
| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` |
589-
| `sysctl.resources.limits` | The resources limits for the init container | `{}` |
590-
| `sysctl.resources.requests` | The requested resources for the init container | `{}` |
580+
| Name | Description | Value |
581+
| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | -------------------------- |
582+
| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` |
583+
| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` |
584+
| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` |
585+
| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
586+
| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` |
587+
| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
588+
| `volumePermissions.resources.limits` | The resources limits for the init container | `{}` |
589+
| `volumePermissions.resources.requests` | The requested resources for the init container | `{}` |
590+
| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
591+
| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` |
592+
| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` |
593+
| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` |
594+
| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` |
595+
| `sysctl.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
596+
| `sysctl.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` |
597+
| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
598+
| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` |
599+
| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` |
600+
| `sysctl.resources.limits` | The resources limits for the init container | `{}` |
601+
| `sysctl.resources.requests` | The requested resources for the init container | `{}` |
591602

592603
### useExternalDNS Parameters
593604

‎bitnami/redis/values.yaml

+22
Original file line numberDiff line numberDiff line change
@@ -276,14 +276,21 @@ master:
276276
## Configure Pods Security Context
277277
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
278278
## @param master.podSecurityContext.enabled Enabled Redis&reg; master pods' Security Context
279+
## @param master.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
280+
## @param master.podSecurityContext.sysctls Set kernel settings using the sysctl interface
281+
## @param master.podSecurityContext.supplementalGroups Set filesystem extra groups
279282
## @param master.podSecurityContext.fsGroup Set Redis&reg; master pod's Security Context fsGroup
280283
##
281284
podSecurityContext:
282285
enabled: true
286+
fsGroupChangePolicy: Always
287+
sysctls: []
288+
supplementalGroups: []
283289
fsGroup: 1001
284290
## Configure Container Security Context
285291
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
286292
## @param master.containerSecurityContext.enabled Enabled Redis&reg; master containers' Security Context
293+
## @param master.containerSecurityContext.seLinuxOptions Set SELinux options in container
287294
## @param master.containerSecurityContext.runAsUser Set Redis&reg; master containers' Security Context runAsUser
288295
## @param master.containerSecurityContext.runAsGroup Set Redis&reg; master containers' Security Context runAsGroup
289296
## @param master.containerSecurityContext.runAsNonRoot Set Redis&reg; master containers' Security Context runAsNonRoot
@@ -293,6 +300,7 @@ master:
293300
##
294301
containerSecurityContext:
295302
enabled: true
303+
seLinuxOptions: {}
296304
runAsUser: 1001
297305
runAsGroup: 0
298306
runAsNonRoot: true
@@ -727,14 +735,21 @@ replica:
727735
## Configure Pods Security Context
728736
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
729737
## @param replica.podSecurityContext.enabled Enabled Redis&reg; replicas pods' Security Context
738+
## @param replica.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
739+
## @param replica.podSecurityContext.sysctls Set kernel settings using the sysctl interface
740+
## @param replica.podSecurityContext.supplementalGroups Set filesystem extra groups
730741
## @param replica.podSecurityContext.fsGroup Set Redis&reg; replicas pod's Security Context fsGroup
731742
##
732743
podSecurityContext:
733744
enabled: true
745+
fsGroupChangePolicy: Always
746+
sysctls: []
747+
supplementalGroups: []
734748
fsGroup: 1001
735749
## Configure Container Security Context
736750
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
737751
## @param replica.containerSecurityContext.enabled Enabled Redis&reg; replicas containers' Security Context
752+
## @param replica.containerSecurityContext.seLinuxOptions Set SELinux options in container
738753
## @param replica.containerSecurityContext.runAsUser Set Redis&reg; replicas containers' Security Context runAsUser
739754
## @param replica.containerSecurityContext.runAsGroup Set Redis&reg; replicas containers' Security Context runAsGroup
740755
## @param replica.containerSecurityContext.runAsNonRoot Set Redis&reg; replicas containers' Security Context runAsNonRoot
@@ -744,6 +759,7 @@ replica:
744759
##
745760
containerSecurityContext:
746761
enabled: true
762+
seLinuxOptions: {}
747763
runAsUser: 1001
748764
runAsGroup: 0
749765
runAsNonRoot: true
@@ -1275,6 +1291,7 @@ sentinel:
12751291
## Configure Container Security Context
12761292
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
12771293
## @param sentinel.containerSecurityContext.enabled Enabled Redis&reg; Sentinel containers' Security Context
1294+
## @param sentinel.containerSecurityContext.seLinuxOptions Set SELinux options in container
12781295
## @param sentinel.containerSecurityContext.runAsUser Set Redis&reg; Sentinel containers' Security Context runAsUser
12791296
## @param sentinel.containerSecurityContext.runAsGroup Set Redis&reg; Sentinel containers' Security Context runAsGroup
12801297
## @param sentinel.containerSecurityContext.runAsNonRoot Set Redis&reg; Sentinel containers' Security Context runAsNonRoot
@@ -1284,6 +1301,7 @@ sentinel:
12841301
##
12851302
containerSecurityContext:
12861303
enabled: true
1304+
seLinuxOptions: {}
12871305
runAsUser: 1001
12881306
runAsGroup: 0
12891307
runAsNonRoot: true
@@ -1641,6 +1659,7 @@ metrics:
16411659
## Configure Container Security Context
16421660
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
16431661
## @param metrics.containerSecurityContext.enabled Enabled Redis&reg; exporter containers' Security Context
1662+
## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container
16441663
## @param metrics.containerSecurityContext.runAsUser Set Redis&reg; exporter containers' Security Context runAsUser
16451664
## @param metrics.containerSecurityContext.runAsGroup Set Redis&reg; exporter containers' Security Context runAsGroup
16461665
## @param metrics.containerSecurityContext.runAsNonRoot Set Redis&reg; exporter containers' Security Context runAsNonRoot
@@ -1650,6 +1669,7 @@ metrics:
16501669
##
16511670
containerSecurityContext:
16521671
enabled: true
1672+
seLinuxOptions: {}
16531673
runAsUser: 1001
16541674
runAsGroup: 0
16551675
runAsNonRoot: true
@@ -1891,12 +1911,14 @@ volumePermissions:
18911911
requests: {}
18921912
## Init container Container Security Context
18931913
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1914+
## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container
18941915
## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser
18951916
## NOTE: when runAsUser is set to special value "auto", init container will try to chown the
18961917
## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2`
18971918
## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)
18981919
##
18991920
containerSecurityContext:
1921+
seLinuxOptions: {}
19001922
runAsUser: 0
19011923

19021924
## init-sysctl container parameters

0 commit comments

Comments
 (0)
Please sign in to comment.