From 0fe196fe21ed00b5ce8f942b177c1d26b9ef1836 Mon Sep 17 00:00:00 2001 From: Christian Knell Date: Mon, 18 Nov 2024 16:10:11 +0100 Subject: [PATCH] changed default value for securityContext --- charts/kubevirt-manager/Chart.yaml | 6 +- charts/kubevirt-manager/README.md | 92 +++++++++++----------- charts/kubevirt-manager/values.schema.json | 22 ++++++ charts/kubevirt-manager/values.yaml | 6 ++ 4 files changed, 77 insertions(+), 49 deletions(-) diff --git a/charts/kubevirt-manager/Chart.yaml b/charts/kubevirt-manager/Chart.yaml index 04f5f77d..43b10ee4 100644 --- a/charts/kubevirt-manager/Chart.yaml +++ b/charts/kubevirt-manager/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubevirt-manager description: KubeVirt Web UI to manage the lifecycle of Virtual Machines and more type: application -version: 0.0.1 +version: 0.0.2 appVersion: "1.4.2" home: https://github.com/christianhuth/helm-charts icon: https://yt3.googleusercontent.com/oTCjudmpLXspEh3g5VraUfZ_1_PZxXXI6kgorNCI9kEqnDICrWEkNUmVGkEtA6WfRbT0GCzjeA=s160-c-k-c0x00ffffff-no-rj @@ -13,8 +13,8 @@ sources: - https://github.com/kubevirt-manager/kubevirt-manager annotations: artifacthub.io/changes: | - - kind: added - description: initial commit + - kind: changed + description: default security context to satisfy pod security standard artifacthub.io/screenshots: | - title: Manage Virtual Machines lifecycle. Support for operations like start/stop/reboot, as well as pause/resume and scaling, directly from the Web Interface. url: https://raw.githubusercontent.com/kubevirt-manager/kubevirt-manager/refs/heads/main/images/screenshot_01.png diff --git a/charts/kubevirt-manager/README.md b/charts/kubevirt-manager/README.md index 30041dc9..e7c6dce9 100644 --- a/charts/kubevirt-manager/README.md +++ b/charts/kubevirt-manager/README.md @@ -44,52 +44,52 @@ The command removes all the Kubernetes components associated with the chart and ## Values -| Key | Type | Default | Description | -| ------------------------------------------ | ------ | ------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| affinity | object | `{}` | Affinity settings for pod assignment | -| autoscaling.enabled | bool | `false` | Enable Horizontal POD autoscaling | -| autoscaling.maxReplicas | int | `100` | Maximum number of replicas | -| autoscaling.minReplicas | int | `1` | Minimum number of replicas | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization percentage | -| extraEnv | list | `[]` | additional environment variables to be added to the pods | -| fullnameOverride | string | `""` | String to fully override `"kubevirt-manager.fullname"` | -| image.pullPolicy | string | `"Always"` | image pull policy | -| image.repository | string | `"kubevirtmanager/kubevirt-manager"` | image repository | -| image.tag | string | `"1.4.2"` | Overrides the image tag | -| imagePullSecrets | list | `[]` | If defined, uses a Secret to pull an image from a private Docker registry or repository. | -| ingress.annotations | object | `{}` | Additional annotations for the Ingress resource | -| ingress.basicAuth.enabled | bool | `false` | enable the configuration of basic authentication with nginx | -| ingress.basicAuth.existingSecret | string | `""` | An existing Secret containing the username and password for basic authentication. Username and password have to be base64 encoded in the form username:password. The Secret needs to contain a key `.htpasswd` with the base64 encoded authentication information. If set `ingress.basicAuth.username` and `ingress.basicAuth.password` will be ignored. | -| ingress.basicAuth.password | string | `"password"` | Password for authentication | -| ingress.basicAuth.username | string | `"admin"` | Username for authentication | -| ingress.className | string | `""` | IngressClass that will be be used to implement the Ingress | -| ingress.enabled | bool | `false` | Enable ingress record generation | -| ingress.hosts | list | see [values.yaml](./values.yaml) | An array with the hosts configuration | -| ingress.tls | list | `[]` | An array with the tls configuration | -| nameOverride | string | `""` | Provide a name in place of `kubevirt-manager` | -| nodeSelector | object | `{}` | Node labels for pod assignment | -| podAnnotations | object | `{}` | Annotations to be added to exporter pods | -| podSecurityContext | object | `{}` | pod-level security context | -| prometheus.additionalLabels | object | `{}` | Prometheus ServiceMonitor labels | -| prometheus.enabled | bool | `false` | Enable a Prometheus ServiceMonitor | -| prometheus.interval | string | `"30s"` | Prometheus ServiceMonitor interval | -| prometheus.metricRelabelings | list | `[]` | Prometheus [MetricRelabelConfigs] to apply to samples before ingestion | -| prometheus.namespace | string | `""` | Prometheus ServiceMonitor namespace | -| prometheus.relabelings | list | `[]` | Prometheus [RelabelConfigs] to apply to samples before scraping | -| prometheus.selector | object | `{}` | Prometheus ServiceMonitor selector | -| prometheus.service.name | string | `""` | Name of the Prometheus Service | -| prometheus.service.namespace | string | `""` | Namespace of the Prometheus Service | -| prometheus.service.port | string | `""` | Port of the Prometheus Service | -| replicaCount | int | `1` | Number of replicas | -| resources | object | `{}` | Resource limits and requests for the pods. | -| revisionHistoryLimit | int | `0` | The number of old ReplicaSets to retain | -| securityContext | object | `{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":30000,"runAsUser":10000}` | container-level security context | -| service.port | int | `8080` | Kubernetes port where service is exposed | -| service.type | string | `"ClusterIP"` | Kubernetes service type | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | -| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | -| tolerations | list | `[]` | Toleration labels for pod assignment | +| Key | Type | Default | Description | +| ------------------------------------------ | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| affinity | object | `{}` | Affinity settings for pod assignment | +| autoscaling.enabled | bool | `false` | Enable Horizontal POD autoscaling | +| autoscaling.maxReplicas | int | `100` | Maximum number of replicas | +| autoscaling.minReplicas | int | `1` | Minimum number of replicas | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization percentage | +| extraEnv | list | `[]` | additional environment variables to be added to the pods | +| fullnameOverride | string | `""` | String to fully override `"kubevirt-manager.fullname"` | +| image.pullPolicy | string | `"Always"` | image pull policy | +| image.repository | string | `"kubevirtmanager/kubevirt-manager"` | image repository | +| image.tag | string | `"1.4.2"` | Overrides the image tag | +| imagePullSecrets | list | `[]` | If defined, uses a Secret to pull an image from a private Docker registry or repository. | +| ingress.annotations | object | `{}` | Additional annotations for the Ingress resource | +| ingress.basicAuth.enabled | bool | `false` | enable the configuration of basic authentication with nginx | +| ingress.basicAuth.existingSecret | string | `""` | An existing Secret containing the username and password for basic authentication. Username and password have to be base64 encoded in the form username:password. The Secret needs to contain a key `.htpasswd` with the base64 encoded authentication information. If set `ingress.basicAuth.username` and `ingress.basicAuth.password` will be ignored. | +| ingress.basicAuth.password | string | `"password"` | Password for authentication | +| ingress.basicAuth.username | string | `"admin"` | Username for authentication | +| ingress.className | string | `""` | IngressClass that will be be used to implement the Ingress | +| ingress.enabled | bool | `false` | Enable ingress record generation | +| ingress.hosts | list | see [values.yaml](./values.yaml) | An array with the hosts configuration | +| ingress.tls | list | `[]` | An array with the tls configuration | +| nameOverride | string | `""` | Provide a name in place of `kubevirt-manager` | +| nodeSelector | object | `{}` | Node labels for pod assignment | +| podAnnotations | object | `{}` | Annotations to be added to exporter pods | +| podSecurityContext | object | `{}` | pod-level security context | +| prometheus.additionalLabels | object | `{}` | Prometheus ServiceMonitor labels | +| prometheus.enabled | bool | `false` | Enable a Prometheus ServiceMonitor | +| prometheus.interval | string | `"30s"` | Prometheus ServiceMonitor interval | +| prometheus.metricRelabelings | list | `[]` | Prometheus [MetricRelabelConfigs] to apply to samples before ingestion | +| prometheus.namespace | string | `""` | Prometheus ServiceMonitor namespace | +| prometheus.relabelings | list | `[]` | Prometheus [RelabelConfigs] to apply to samples before scraping | +| prometheus.selector | object | `{}` | Prometheus ServiceMonitor selector | +| prometheus.service.name | string | `""` | Name of the Prometheus Service | +| prometheus.service.namespace | string | `""` | Namespace of the Prometheus Service | +| prometheus.service.port | string | `""` | Port of the Prometheus Service | +| replicaCount | int | `1` | Number of replicas | +| resources | object | `{}` | Resource limits and requests for the pods. | +| revisionHistoryLimit | int | `0` | The number of old ReplicaSets to retain | +| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":30000,"runAsNonRoot":true,"runAsUser":10000,"seccompProfile":{"type":"RuntimeDefault"}}` | container-level security context | +| service.port | int | `8080` | Kubernetes port where service is exposed | +| service.type | string | `"ClusterIP"` | Kubernetes service type | +| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| tolerations | list | `[]` | Toleration labels for pod assignment | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. diff --git a/charts/kubevirt-manager/values.schema.json b/charts/kubevirt-manager/values.schema.json index 71d5a461..44368e96 100644 --- a/charts/kubevirt-manager/values.schema.json +++ b/charts/kubevirt-manager/values.schema.json @@ -171,14 +171,36 @@ "allowPrivilegeEscalation": { "type": "boolean" }, + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, "readOnlyRootFilesystem": { "type": "boolean" }, "runAsGroup": { "type": "integer" }, + "runAsNonRoot": { + "type": "boolean" + }, "runAsUser": { "type": "integer" + }, + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } } } }, diff --git a/charts/kubevirt-manager/values.yaml b/charts/kubevirt-manager/values.yaml index 880c21fa..a7286914 100644 --- a/charts/kubevirt-manager/values.yaml +++ b/charts/kubevirt-manager/values.yaml @@ -40,9 +40,15 @@ podSecurityContext: {} # -- container-level security context securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true + runAsNonRoot: true runAsUser: 10000 runAsGroup: 30000 + seccompProfile: + type: RuntimeDefault service: # -- Kubernetes service type