Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/mediawiki] feat!: 🔒 💥 Improve security defaults #24771

Merged
merged 8 commits into from
Apr 3, 2024
Merged

[bitnami/mediawiki] feat!: 🔒 💥 Improve security defaults #24771

merged 8 commits into from
Apr 3, 2024

Conversation

javsalgar
Copy link
Contributor

@javsalgar javsalgar commented Apr 1, 2024
edited by dgomezleon

BREAKING CHANGE

Signed-off-by: Javier Salmeron Garcia jsalmeron@vmware.com

Description of the change

This major bump changes the following security defaults:

  • runAsGroup is changed from 0 to 1001
  • readOnlyRootFilesystem is set to true
  • resourcesPreset is changed from none to the minimum size working in our test suites (NOTE: resourcesPreset is not meant for production usage, but resources adapted to your use case).
  • global.compatibility.openshift.adaptSecurityContext is changed from disabled to auto.
  • The networkPolicy section has been normalized amongst all Bitnami charts. Compared to the previous approach, the values section has been simplified (check the Parameters section) and now it set to enabled=true by default. Egress traffic is allowed by default and ingress traffic is allowed by all pods but only to the ports set in containerPorts and extraContainerPorts.
  • Bump MariaDB to version 11.3

Benefits

  • Better compliance with NSA and MITRE security checklists
  • Improved compatibility with Openshift

Possible drawbacks

This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.

Applicable issues

Additional information

Checklist

  • Chart version bumped in Chart.yaml according to semver. This is not necessary when the changes only affect README.md files.
  • Variables are documented in the values.yaml and added to the README.md using readme-generator-for-helm
  • Title of the pull request follows this pattern [bitnami/<name_of_the_chart>] Descriptive title
  • All commits signed off and in agreement of Developer Certificate of Origin (DCO)

@javsalgar
[bitnami/mediawiki] feat!: 🔒 💥 Improve security defaults
9afffbf 
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
@bitnami-bot bitnami-bot added the verify Execute verification workflow for these changes label Apr 1, 2024
@github-actions github-actions bot requested a review from dgomezleon April 1, 2024 15:46
bitnami-bot and others added 2 commits April 1, 2024 15:46
@bitnami-bot
Update README.md with readme-generator-for-helm
7f759eb 
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
@dgomezleon
[bitnami/mediawiki] Update MariaDB to branch 11.3
c60a772 
Signed-off-by: David Gomez <dgomezleon@vmware.com>
@dgomezleon dgomezleon mentioned this pull request Apr 2, 2024
Closed
4 tasks
dgomezleon
dgomezleon previously approved these changes Apr 3, 2024
View reviewed changes
Copy link
Member

@dgomezleon dgomezleon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dgomezleon
Merge branch 'main' into feature/mediawiki-security-major
e53473d 
Signed-off-by: David Gomez <dgomezleon@vmware.com>
dgomezleon
dgomezleon previously approved these changes Apr 3, 2024
View reviewed changes
@bitnami-bot
Update README.md with readme-generator-for-helm
4718d39 
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
@dgomezleon
[bitnami/mediawiki] Update deps
4ae57fa 
Signed-off-by: David Gomez <dgomezleon@vmware.com>
@dgomezleon dgomezleon force-pushed the feature/mediawiki-security-major branch from 00ecbc6 to 87684e4 Compare April 3, 2024 09:44
dgomezleon
dgomezleon previously approved these changes Apr 3, 2024
View reviewed changes
@dgomezleon dgomezleon enabled auto-merge (squash) April 3, 2024 09:52
@dgomezleon dgomezleon disabled auto-merge April 3, 2024 09:54
@dgomezleon
[bitnami/mediawiki] Fix typo
98ff74a 
Signed-off-by: David Gomez <dgomezleon@vmware.com>
@dgomezleon dgomezleon force-pushed the feature/mediawiki-security-major branch from 87684e4 to 98ff74a Compare April 3, 2024 09:56
@javsalgar
fix: 🐛 Use .containerPort in networkPolicy
2ad6605 
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
@dgomezleon dgomezleon merged commit 6195496 into main Apr 3, 2024
10 checks passed
@dgomezleon dgomezleon deleted the feature/mediawiki-security-major branch April 3, 2024 10:54
@github-actions github-actions bot added the solved label Apr 3, 2024
djjudas21 pushed a commit to djjudas21/bitnami-charts that referenced this pull request Apr 17, 2024
@javsalgar @bitnami-bot
@dgomezleon @djjudas21
[bitnami/mediawiki] feat!: 🔒 💥 Improve security defaults (bitnami#24771)
317b7a6 
* [bitnami/mediawiki] feat!: 🔒 💥 Improve security defaults

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* [bitnami/mediawiki] Update MariaDB to branch 11.3

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* [bitnami/mediawiki] Update deps

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* [bitnami/mediawiki] Fix typo

Signed-off-by: David Gomez <dgomezleon@vmware.com>

* fix: 🐛 Use .containerPort in networkPolicy

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Signed-off-by: David Gomez <dgomezleon@vmware.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
Co-authored-by: David Gomez <dgomezleon@vmware.com>
Signed-off-by: Jonathan Gazeley <me@jonathangazeley.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dgomezleon dgomezleon dgomezleon approved these changes

Assignees

@dgomezleon dgomezleon

Labels
bitnami mediawiki solved verify Execute verification workflow for these changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@javsalgar @dgomezleon @bitnami-bot