Skip to content

Commit

Permalink
[bitnami/grafana-operator] feat!: 🔒 💥 Improve security defaults (#24647)
Browse files Browse the repository at this point in the history 
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
  • Loading branch information
@javsalgar
javsalgar committed Apr 1, 2024
1 parent 007113d commit 2e4b5de
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 11 deletions.
2 changes: 1 addition & 1 deletion bitnami/grafana-operator/Chart.yaml
View file
Expand Up @@ -30,4 +30,4 @@ maintainers:
name: grafana-operator
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/grafana-operator
version: 3.12.3
version: 4.0.0
21 changes: 16 additions & 5 deletions bitnami/grafana-operator/README.md
View file
Expand Up @@ -261,16 +261,16 @@ extraDeploy:
| `operator.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `operator.podSecurityContext.fsGroup` | Group ID for the pods | `1001` |
| `operator.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `operator.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `operator.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `operator.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `operator.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `operator.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `operator.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `operator.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `operator.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
| `operator.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
| `operator.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `operator.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `operator.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `operator.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if operator.resources is set (operator.resources is recommended for production). | `none` |
| `operator.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if operator.resources is set (operator.resources is recommended for production). | `nano` |
| `operator.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `operator.containerPorts.metrics` | Grafana Operator container port (used for metrics) | `8080` |
| `operator.automountServiceAccountToken` | Mount Service Account token in pod | `true` |
Expand Down Expand Up @@ -341,7 +341,7 @@ extraDeploy:
| `grafana.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `grafana.podSecurityContext.fsGroup` | Group ID for the pods | `1001` |
| `grafana.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `grafana.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `grafana.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `grafana.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `grafana.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `grafana.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
Expand Down Expand Up @@ -435,6 +435,17 @@ helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/grafana-operator

> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`.
### To 4.0.0

This major bump changes the following security defaults:

- `runAsGroup` is changed from `0` to `1001`
- `readOnlyRootFilesystem` is set to `true`
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.

This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.

### To 3.0.0

In this version use different apiVersion in CRDs `integreatly.org/v1alpha1` -> `grafana.integreatly.org/v1beta1`
Expand Down
10 changes: 5 additions & 5 deletions bitnami/grafana-operator/values.yaml
View file
Expand Up @@ -242,12 +242,12 @@ operator:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 0
runAsGroup: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
Expand All @@ -256,7 +256,7 @@ operator:
## @param operator.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if operator.resources is set (operator.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "nano"
## @param operator.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
Expand Down Expand Up @@ -559,7 +559,7 @@ grafana:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
Expand Down

0 comments on commit 2e4b5de

Please sign in to comment.