fix: make sure podSecurityContext is included in both SCALE and Helm installs (#956)

* remove strategy

* move runAsNonRoot to securityContext

* Add podSecurityContext and securityContext to values pt1

* Add podSecurityContext and securityContext to values pt2

* Add podSecurityContext and securityContext to values pt3

* Add podSecurityContext and securityContext to values pt4

* Add podSecurityContext and securityContext to values pt5

* fix empty lines

* Remove secCont from NC - values

* fixPermissions for some apps

* on apps with perm prob, set fsGroup to 0 also
This commit is contained in:
Stavros Kois
2021-09-10 21:10:04 +03:00
committed by GitHub
parent 20bacc444e
commit a7b3ce0e23
88 changed files with 685 additions and 230 deletions
+11 -2
View File
@@ -5,9 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: v0.18.686
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
+8 -5
View File
@@ -3,15 +3,18 @@ image:
pullPolicy: IfNotPresent
tag: "v4.0.8"
strategy:
type: Recreate
# Configure the Security Context for the Pod
podSecurityContext:
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
env:
TZ: "America/Chicago"
+12 -15
View File
@@ -5,6 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: "4.30.4"
securityContext:
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
postgresqlImage:
repository: postgres
@@ -14,9 +26,6 @@ postgresqlImage:
command: ["authelia"]
args: ["--config=/configuration.yaml"]
strategy:
type: Recreate
enableServiceLinks: false
service:
@@ -81,18 +90,6 @@ redis:
persistence:
enabled: false
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
resources:
limits: {}
# limits:
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: v0.9.8
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
-3
View File
@@ -5,9 +5,6 @@ image:
pullPolicy: IfNotPresent
tag: version-0.6.12
strategy:
type: Recreate
service:
main:
ports:
@@ -3,9 +3,6 @@ image:
tag: 6.4.10.10
pullPolicy: IfNotPresent
strategy:
type: Recreate
service:
main:
type: NodePort
-3
View File
@@ -5,9 +5,6 @@ image:
pullPolicy: IfNotPresent
tag: cpu-2021.02.1
strategy:
type: Recreate
service:
main:
enabled: true
-3
View File
@@ -5,9 +5,6 @@ image:
pullPolicy: IfNotPresent
tag: version-2.0.3-2201906121747ubuntu18.04.1
strategy:
type: Recreate
service:
main:
ports:
+6 -3
View File
@@ -5,16 +5,19 @@ image:
pullPolicy: IfNotPresent
tag: v4.6.4.0
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
# 44=video 107=render
podSecurityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: [44, 107]
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: 2021.8.2
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
+7 -3
View File
@@ -11,14 +11,18 @@ postgresqlImage:
pullPolicy: IfNotPresent
tag: 13.4-alpine
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: false
podSecurityContext:
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
fsGroup: 0
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
+13
View File
@@ -13,6 +13,19 @@ image:
# -- image tag
tag: v1.2.9
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables. See more environment variables in the [flaresolverr documentation](https://github.com/FlareSolverr/FlareSolverr#environment-variables).
# @default -- See below
env:
+13
View File
@@ -13,6 +13,19 @@ image:
# -- image tag
tag: 4.6.1
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables. See more environment variables in the [flood documentation] (https://github.com/jesec/flood/blob/v4.6.0/config.ts)
# Note: The environmental variables are not case sensitive (e.g. FLOOD_OPTION_port=FLOOD_OPTION_PORT).
# @default -- See below
+13
View File
@@ -13,6 +13,19 @@ image:
# -- image tag
tag: 0.8.0
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables. See more environment variables in the [image entrypoint script](https://github.com/FlipEnergy/container-images/blob/main/focalboard/entrypoint.sh)
# @default -- See below
env: {}
-3
View File
@@ -5,9 +5,6 @@ image:
pullPolicy: IfNotPresent
tag: version-1.18.1
strategy:
type: Recreate
service:
main:
ports:
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: v0.8.8
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
+4 -4
View File
@@ -979,7 +979,7 @@ questions:
label: "runAsNonRoot"
schema:
type: boolean
default: true
default: false
- variable: podSecurityContext
group: "Security and Permissions"
@@ -992,19 +992,19 @@ questions:
description: "The UserID of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: runAsGroup
label: "runAsGroup"
description: The groupID this App of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: fsGroup
label: "fsGroup"
description: "The group that should own ALL storage."
schema:
type: int
default: 568
default: 0
- variable: supplementalGroups
label: "supplemental Groups"
schema:
+13
View File
@@ -13,6 +13,19 @@ image:
# -- image tag
tag: v0.13.1
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: false
podSecurityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables. See more environment variables in the [gonic documentation](https://github.com/sentriz/gonic#configuration-options)
# @default -- See below
env:
-3
View File
@@ -5,9 +5,6 @@ image:
tag: version-v3.1.1
pullPolicy: IfNotPresent
strategy:
type: Recreate
service:
main:
ports:
-3
View File
@@ -3,9 +3,6 @@ image:
tag: v1.24.1
pullPolicy: IfNotPresent
strategy:
type: Recreate
service:
main:
ports:
+8 -3
View File
@@ -13,13 +13,18 @@ image:
# -- image tag
tag: latest
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables. See [image docs](https://github.com/seejohnrun/haste-server) for more details.
# @default -- See below
-3
View File
@@ -5,9 +5,6 @@ image:
tag: version-2.2.2
pullPolicy: IfNotPresent
strategy:
type: Recreate
service:
main:
ports:
-3
View File
@@ -5,9 +5,6 @@ image:
pullPolicy: IfNotPresent
tag: 2021.9.4
strategy:
type: Recreate
env: {}
# TZ:
@@ -1282,7 +1282,7 @@ questions:
label: "runAsNonRoot"
schema:
type: boolean
default: true
default: false
- variable: podSecurityContext
group: "Security and Permissions"
@@ -1295,19 +1295,19 @@ questions:
description: "The UserID of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: runAsGroup
label: "runAsGroup"
description: The groupID this App of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: fsGroup
label: "fsGroup"
description: "The group that should own ALL storage."
schema:
type: int
default: 568
default: 0
- variable: supplementalGroups
label: "supplemental Groups"
schema:
+13
View File
@@ -13,6 +13,19 @@ image:
# -- image pull policy
pullPolicy: IfNotPresent
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: false
podSecurityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables. See [image docs](https://docs.linuxserver.io/images/docker-airsonic#environment-variables-e) for more details.
# @default -- See below
env:
+11 -2
View File
@@ -5,9 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: v0.18.686
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
-3
View File
@@ -5,9 +5,6 @@ image:
pullPolicy: IfNotPresent
tag: v1.7.1
strategy:
type: Recreate
service:
main:
ports:
+6 -3
View File
@@ -5,16 +5,19 @@ image:
pullPolicy: IfNotPresent
tag: 10.7.7
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
# 44=video 107=render
podSecurityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: [44, 107]
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
-3
View File
@@ -5,9 +5,6 @@ image:
pullPolicy: IfNotPresent
tag: minimal
strategy:
type: Recreate
service:
main:
ports:
+13
View File
@@ -13,6 +13,19 @@ image:
# -- image pull policy
pullPolicy: IfNotPresent
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables. See more environment variables in the [komga documentation](https://komga.org/installation/configuration.html#optional-configuration).
# @default -- See below
env: {}
-3
View File
@@ -5,9 +5,6 @@ image:
pullPolicy: IfNotPresent
tag: latest
strategy:
type: Recreate
service:
main:
ports:
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: v1.0.0.2255
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
-3
View File
@@ -5,9 +5,6 @@ image:
pullPolicy: IfNotPresent
tag: latest
strategy:
type: Recreate
service:
main:
-3
View File
@@ -5,9 +5,6 @@ image:
pullPolicy: IfNotPresent
tag: v4.3.4
strategy:
type: Recreate
service:
main:
ports:
+13
View File
@@ -8,6 +8,19 @@ image:
# -- image pull policy
pullPolicy: IfNotPresent
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- Configures service settings for the chart. Normally this does not need to be modified.
# @default -- See values.yaml
service:
+4 -4
View File
@@ -991,7 +991,7 @@ questions:
label: "runAsNonRoot"
schema:
type: boolean
default: true
default: false
- variable: podSecurityContext
group: "Security and Permissions"
@@ -1004,19 +1004,19 @@ questions:
description: "The UserID of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: runAsGroup
label: "runAsGroup"
description: The groupID this App of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: fsGroup
label: "fsGroup"
description: "The group that should own ALL storage."
schema:
type: int
default: 568
default: 0
- variable: supplementalGroups
label: "supplemental Groups"
schema:
+13
View File
@@ -13,6 +13,19 @@ image:
# -- image pull policy
pullPolicy: IfNotPresent
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: false
podSecurityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables. See [image docs](https://docs.linuxserver.io/images/docker-mylar3#environment-variables-e) for more details.
# @default -- See below
env:
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: 0.45.1
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
+7 -7
View File
@@ -5,14 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: 22.1.1
podSecurityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 33
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
postgresqlImage:
repository: postgres
pullPolicy: IfNotPresent
tag: "13.1"
strategy:
type: Recreate
service:
main:
ports:
@@ -87,10 +91,6 @@ initContainers:
name: dbcreds
key: plainhost
podSecurityContext:
fsGroup: 33
# -- Probe configuration
# -- [[ref]](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/)
# @default -- See below
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: 2.0.6
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# See more environment varaibles in the node-red documentation
# https://nodered.org/docs/getting-started/docker
+4 -4
View File
@@ -1082,7 +1082,7 @@ questions:
label: "runAsNonRoot"
schema:
type: boolean
default: true
default: false
- variable: podSecurityContext
group: "Security and Permissions"
@@ -1095,19 +1095,19 @@ questions:
description: "The UserID of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: runAsGroup
label: "runAsGroup"
description: The groupID this App of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: fsGroup
label: "fsGroup"
description: "The group that should own ALL storage."
schema:
type: int
default: 568
default: 0
- variable: supplementalGroups
label: "supplemental Groups"
schema:
+13
View File
@@ -17,6 +17,19 @@ image:
# -- image pull policy
pullPolicy: IfNotPresent
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: false
podSecurityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables. See more environment variables in the [nullserv documentation](https://github.com/bmrzycki/nullserv/blob/master/README.md).
# @default -- See below
env:
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: v21.1
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: v3.15.2
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
@@ -979,7 +979,7 @@ questions:
label: "runAsNonRoot"
schema:
type: boolean
default: true
default: false
- variable: podSecurityContext
group: "Security and Permissions"
@@ -992,19 +992,19 @@ questions:
description: "The UserID of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: runAsGroup
label: "runAsGroup"
description: The groupID this App of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: fsGroup
label: "fsGroup"
description: "The group that should own ALL storage."
schema:
type: int
default: 568
default: 0
- variable: supplementalGroups
label: "supplemental Groups"
schema:
@@ -13,6 +13,19 @@ image:
# -- image pull policy
pullPolicy: IfNotPresent
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: false
podSecurityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables. See [image docs](https://github.com/mbentley/docker-omada-controller) for more details.
# @default -- See below
env:
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: v4.0.1475
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
-3
View File
@@ -5,9 +5,6 @@ image:
pullPolicy: Always
tag: latest
strategy:
type: Recreate
service:
main:
ports:
+13
View File
@@ -13,6 +13,19 @@ image:
# -- image pull policy
pullPolicy: IfNotPresent
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables.
# @default -- See below
env:
+13
View File
@@ -13,6 +13,19 @@ image:
# -- image pull policy
pullPolicy: IfNotPresent
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables. See more environment variables in the [owncloud-ocis documentation](https://owncloud.dev/ocis/configuration/#environment-variables).
# @default -- See below
env:
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: "5.6"
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: false
podSecurityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 5050
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
+13
View File
@@ -13,6 +13,19 @@ image:
# -- image pull policy
pullPolicy: IfNotPresent
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables. See [image docs](https://docs.photoprism.org/getting-started/config-options/) for more details.
# @default -- See below
env:
-3
View File
@@ -5,9 +5,6 @@ image:
pullPolicy: IfNotPresent
tag: "0.9.0"
strategy:
type: Recreate
service:
main:
+4 -4
View File
@@ -979,7 +979,7 @@ questions:
label: "runAsNonRoot"
schema:
type: boolean
default: true
default: false
- variable: podSecurityContext
group: "Security and Permissions"
@@ -992,19 +992,19 @@ questions:
description: "The UserID of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: runAsGroup
label: "runAsGroup"
description: The groupID this App of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: fsGroup
label: "fsGroup"
description: "The group that should own ALL storage."
schema:
type: int
default: 568
default: 0
- variable: supplementalGroups
label: "supplemental Groups"
schema:
+13 -5
View File
@@ -13,6 +13,19 @@ image:
# -- image pull policy
pullPolicy: IfNotPresent
securityContext:
privileged: true
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: false
podSecurityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables. See [application docs](https://flightaware.com/adsb/piaware/advanced_configuration) for more details.
# @default -- See below
env:
@@ -27,11 +40,6 @@ service:
main:
port: 8080
securityContext:
# -- (bool) Privileged securityContext may be required if USB device is accessed directly through the host machine
privileged: true
# -- Configure persistence settings for the chart under this key.
# @default -- See values.yaml
persistence:
+6 -3
View File
@@ -5,16 +5,19 @@ image:
pullPolicy: IfNotPresent
tag: v1.24.1.4931-1a38e63c6
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
# 44=video 107=render
podSecurityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: [44, 107]
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
+8 -5
View File
@@ -5,15 +5,18 @@ image:
pullPolicy: Always
tag: 1.0.0
strategy:
type: Recreate
# Configure the Security Context for the Pod
podSecurityContext:
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
-3
View File
@@ -3,9 +3,6 @@ image:
pullPolicy: IfNotPresent
tag: "13.4"
strategy:
type: Recreate
service:
main:
@@ -862,7 +862,7 @@ questions:
label: "runAsNonRoot"
schema:
type: boolean
default: true
default: false
- variable: podSecurityContext
group: "Security and Permissions"
@@ -875,19 +875,19 @@ questions:
description: "The UserID of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: runAsGroup
label: "runAsGroup"
description: The groupID this App of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: fsGroup
label: "fsGroup"
description: "The group that should own ALL storage."
schema:
type: int
default: 568
default: 0
- variable: supplementalGroups
label: "supplemental Groups"
schema:
@@ -13,6 +13,19 @@ image:
# -- image pull policy
pullPolicy: IfNotPresent
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: false
podSecurityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- Configures service settings for the chart.
# @default -- See values.yaml
service:
@@ -991,7 +991,7 @@ questions:
label: "runAsNonRoot"
schema:
type: boolean
default: true
default: false
- variable: podSecurityContext
group: "Security and Permissions"
@@ -1004,19 +1004,19 @@ questions:
description: "The UserID of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: runAsGroup
label: "runAsGroup"
description: The groupID this App of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: fsGroup
label: "fsGroup"
description: "The group that should own ALL storage."
schema:
type: int
default: 568
default: 0
- variable: supplementalGroups
label: "supplemental Groups"
schema:
@@ -13,6 +13,19 @@ image:
# -- image pull policy
pullPolicy: IfNotPresent
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: false
podSecurityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables.
# @default -- See below
env:
+9 -1
View File
@@ -13,10 +13,18 @@ image:
# -- image pull policy
pullPolicy: IfNotPresent
podSecurityContext:
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables.
# @default -- See below
+4 -4
View File
@@ -991,7 +991,7 @@ questions:
label: "runAsNonRoot"
schema:
type: boolean
default: true
default: false
- variable: podSecurityContext
group: "Security and Permissions"
@@ -1004,19 +1004,19 @@ questions:
description: "The UserID of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: runAsGroup
label: "runAsGroup"
description: The groupID this App of the user running the application"
schema:
type: int
default: 568
default: 0
- variable: fsGroup
label: "fsGroup"
description: "The group that should own ALL storage."
schema:
type: int
default: 568
default: 0
- variable: supplementalGroups
label: "supplemental Groups"
schema:
+13
View File
@@ -13,6 +13,19 @@ image:
# -- image pull policy
pullPolicy: IfNotPresent
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: false
podSecurityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables. See [image docs](https://docs.linuxserver.io/images/docker-pyload#environment-variables-e) for more details.
# @default -- See below
env:
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: v4.3.7
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
env: {}
# TZ: UTC
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: v3.2.2.5080
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: v0.1.0.963
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
+9 -1
View File
@@ -13,10 +13,18 @@ image:
# -- image tag
tag: v0.16.1
podSecurityContext:
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables. See more environment variables in the [reg documentation](https://github.com/genuinetools/reg).
env:
+13
View File
@@ -13,6 +13,19 @@ image:
# -- image pull policy
pullPolicy: IfNotPresent
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: false
podSecurityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables. See [image docs](https://docs.linuxserver.io/images/docker-resilio-sync#environment-variables-e) for more details.
# @default -- See below
env:
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: v3.3.1
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
+13 -4
View File
@@ -13,6 +13,19 @@ image:
# -- image pull policy
pullPolicy: Always
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables. See [image docs](https://github.com/tenstartups/ser2sock) for more details.
# @default -- See below
env:
@@ -46,10 +59,6 @@ persistence:
type: hostPath
mountPath: /dev/ttyUSB0
securityContext:
# -- (bool) Privileged securityContext may be required if USB controller is accessed directly through the host machine
privileged: # true
# -- Affinity constraint rules to place the Pod on a specific node.
# [[ref]](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)
affinity: {}
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: v3.0.6.1265
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: "1.18"
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: v2.7.6
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
-3
View File
@@ -13,9 +13,6 @@ image:
# -- image tag
tag: 4.2.0-alpine
strategy:
type: Recreate
# -- environment variables. See [image docs](https://hub.docker.com/r/thelounge/thelounge/) for more details.
# @default -- See below
env:
@@ -1140,11 +1140,6 @@ questions:
schema:
type: dict
attrs:
- variable: runAsNonRoot
label: "runAsNonRoot"
schema:
type: boolean
default: true
- variable: runAsUser
label: "runAsUser"
description: "The UserID of the user running the application"
+17 -13
View File
@@ -5,6 +5,23 @@ image:
tag: v2.5.2
pullPolicy: IfNotPresent
# -- Set the container security context
# To run the container with ports below 1024 this will need to be adjust to run as root
securityContext:
capabilities:
drop: [ALL]
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: false
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x
ingressClass:
# true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
@@ -274,19 +291,6 @@ serviceAccount:
# If not set, a service account is created automatically using the fullname template
name: ""
# -- Set the container security context
# To run the container with ports below 1024 this will need to be adjust to run as root
securityContext:
capabilities:
drop: [ALL]
readOnlyRootFilesystem: true
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
podSecurityContext:
fsGroup: 568
# -- SCALE Middleware Handlers
middlewares:
basicAuth: []
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: v3.00
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
-3
View File
@@ -5,9 +5,6 @@ image:
pullPolicy: IfNotPresent
tag: "2.0"
strategy:
type: Recreate
service:
main:
ports:
-3
View File
@@ -5,9 +5,6 @@ image:
pullPolicy: IfNotPresent
tag: version-63784405
strategy:
type: Recreate
# See https://github.com/linuxserver/docker-tvheadend#parameters
env: {}
# PUID: 1000
-3
View File
@@ -5,9 +5,6 @@ image:
tag: v6.2.26
pullPolicy: IfNotPresent
strategy:
type: Recreate
envTpl:
# Permissions Settings
UNIFI_GID: "{{ .Values.env.PUID }}"
+12 -2
View File
@@ -5,8 +5,18 @@ image:
pullPolicy: IfNotPresent
tag: 0.9.7
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
service:
main:
+13 -3
View File
@@ -5,15 +5,25 @@ image:
pullPolicy: IfNotPresent
tag: 1.22.2
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
postgresqlImage:
repository: postgres
pullPolicy: IfNotPresent
tag: 13.4-alpine
strategy:
type: Recreate
service:
main:
ports:
+13
View File
@@ -13,6 +13,19 @@ image:
# -- image pull policy
pullPolicy: IfNotPresent
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# -- environment variables.
# @default -- See below
env:
+6 -3
View File
@@ -7,16 +7,19 @@ image:
pullPolicy: IfNotPresent
tag: 5.5.3
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
# 5=tty 20=dialout 24=cdrom
podSecurityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: [5, 20, 24]
fsGroupChangePolicy: "OnRootMismatch"
# # See more environment variables in the zwavejs2mqtt documentation
# https://zwave-js.github.io/zwavejs2mqtt/#/guide/env-vars
+5 -5
View File
@@ -589,6 +589,11 @@ questions:
schema:
type: boolean
default: false
- variable: runAsNonRoot
label: "runAsNonRoot"
schema:
type: boolean
default: true
- variable: podSecurityContext
group: "Security and Permissions"
@@ -596,11 +601,6 @@ questions:
schema:
type: dict
attrs:
- variable: runAsNonRoot
label: "runAsNonRoot"
schema:
type: boolean
default: true
- variable: runAsUser
label: "runAsUser"
description: "The UserID of the user running the application"
+12 -2
View File
@@ -10,8 +10,18 @@ image:
pullPolicy: IfNotPresent
tag: 1.0.0
strategy:
type: Recreate
securityContext:
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsNonRoot: true
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
supplementalGroups: []
fsGroupChangePolicy: "OnRootMismatch"
# See more environment variables in the ${CHARTNAME} documentation
# https://${CHARTNAME}.org/docs