189 trino supporting more variables for securitycontext for pod and c…

…ontainer level (#190) * Changed: securityContext for pods and containers * Changed: bump up version * Changed: bump up helm-docs version * Changed: upgrade kind k8s versions * Changed: support for k8s 1.28 * Fixed: default securityContexts * Fixed: trailing space * Fixed: container missing securityContext
valeriano-manassero · Oct 25, 2023 · 2129571 · 2129571
1 parent eab54b3
commit 2129571
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 39 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -23,9 +23,10 @@ jobs:
     strategy:
       matrix:
         k8s:
-          - v1.25.8
-          - v1.26.3
-          - v1.27.0
+          - v1.25.11
+          - v1.26.6
+          - v1.27.3
+          - v1.28.0
     steps:
       - name: Checkout
         uses: actions/checkout@v3.5.0

diff --git a/valeriano-manassero/trino/Chart.yaml b/valeriano-manassero/trino/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v1
 appVersion: "426"
 description: High performance, distributed SQL query engine for big data
 name: trino
-version: 7.0.0
-kubeVersion: ">= 1.24.0-0 < 1.28.0-0"
+version: 8.0.0
+kubeVersion: ">= 1.24.0-0 < 1.29.0-0"
 home: https://trino.io
 icon: https://trino.io/assets/images/trino-logo/trino-ko_tiny-alt.svg
 sources:
@@ -27,4 +27,4 @@ keywords:
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: Switch to the -XX:InitialRAMPercentage and -XX:MaxRAMPercentage instead of -Xmx flag
+      description: enanched SecurityContext for pod and containers
diff --git a/valeriano-manassero/trino/README.md b/valeriano-manassero/trino/README.md
@@ -1,6 +1,6 @@
 # trino
 
-![Version: 7.0.0](https://img.shields.io/badge/Version-7.0.0-informational?style=flat-square) ![AppVersion: 426](https://img.shields.io/badge/AppVersion-426-informational?style=flat-square)
+![Version: 8.0.0](https://img.shields.io/badge/Version-8.0.0-informational?style=flat-square) ![AppVersion: 426](https://img.shields.io/badge/AppVersion-426-informational?style=flat-square)
 
 High performance, distributed SQL query engine for big data
 
@@ -19,7 +19,7 @@ High performance, distributed SQL query engine for big data
 
 ## Requirements
 
-Kubernetes: `>= 1.24.0-0 < 1.28.0-0`
+Kubernetes: `>= 1.24.0-0 < 1.29.0-0`
 
 ## Values
 
@@ -87,15 +87,13 @@ Kubernetes: `>= 1.24.0-0 < 1.28.0-0`
 | config.worker.tolerations | list | `[]` |  |
 | configMapMounts | list | `[]` |  |
 | connectors | object | `{}` |  |
+| containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | SecurityContext configuration for containers |
 | eventListenerProperties | object | `{}` |  |
 | faultTolerance.enabled | bool | `false` |  |
 | fullnameOverride | string | `"trino"` |  |
 | groupProvider | object | `{}` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"trinodb/trino"` |  |
-| image.securityContext.fsGroup | int | `1000` |  |
-| image.securityContext.runAsGroup | int | `1000` |  |
-| image.securityContext.runAsUser | int | `1000` |  |
 | image.tag | int | `426` |  |
 | imagePullSecrets | list | `[]` |  |
 | ingress.annotations | object | `{}` |  |
@@ -122,6 +120,7 @@ Kubernetes: `>= 1.24.0-0 < 1.28.0-0`
 | jmxExporter.serviceMonitor.scrapeTimeout | string | `"10s"` |  |
 | jmxExporter.worker.enabled | bool | `false` |  |
 | passwordAuthenticatorProperties | object | `{}` | Password authenticator configuration, an item per conf line. Requiere `config.general.authenticationType` set to `PASSWORD`. For file : you don't need to use this propertie if you set `config.general.authenticationType` to `PASSWORD` and use `config.auth` to fill `auth/password.db`. For LDAP : https://trino.io/docs/current/security/ldap.html. For SalesForce : https://trino.io/docs/current/security/salesforce.html |
+| podSecurityContext | object | `{"fsGroup":1000,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}` | SecurityContext configuration for pods |
 | resourceGroups | object | `{}` |  |
 | schemas | object | `{}` |  |
 | secretMounts | list | `[]` |  |
@@ -138,4 +137,4 @@ Kubernetes: `>= 1.24.0-0 < 1.28.0-0`
 | tls.tlsEncryptionSecretName | string | `""` |  |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
+Autogenerated from chart metadata using [helm-docs v1.11.2](https://github.com/norwoodj/helm-docs/releases/v1.11.2)
diff --git a/valeriano-manassero/trino/templates/deployment-coordinator.yaml b/valeriano-manassero/trino/templates/deployment-coordinator.yaml
@@ -25,12 +25,8 @@ spec:
         {{- toYaml . | nindent 8 }}
     {{- end }}
     spec:
-      {{- with .Values.image.securityContext }}
       securityContext:
-        runAsUser: {{ .runAsUser }}
-        runAsGroup: {{ .runAsGroup }}
-        fsGroup: {{ .fsGroup }}
-      {{- end }}
+        {{ toYaml .Values.podSecurityContext | nindent 8 }}
       volumes:
         - name: config-volume
           projected:
@@ -120,11 +116,8 @@ spec:
         - name: download-jmx-exporter
           image: {{ .Values.jmxExporter.image.repository }}:{{ .Values.jmxExporter.image.tag }}
           imagePullPolicy: {{ .Values.jmxExporter.image.pullPolicy }}
-          {{- with .Values.image.securityContext }}
           securityContext:
-            runAsUser: {{ .runAsUser }}
-            runAsGroup: {{ .runAsGroup }}
-          {{- end }}
+            {{ toYaml .Values.containerSecurityContext | nindent 12 }}
           args:
             - "--output"
             - "{{ .Values.jmxExporter.path }}/lib/{{ .Values.jmxExporter.jarfile }}"
@@ -137,11 +130,8 @@ spec:
         - name: init-certs
           image: {{ .Values.initKeystore.image.repository }}:{{ .Values.initKeystore.image.tag }}
           imagePullPolicy: {{ .Values.initKeystore.image.pullPolicy }}
-          {{- with .Values.image.securityContext }}
           securityContext:
-            runAsUser: {{ .runAsUser }}
-            runAsGroup: {{ .runAsGroup }}
-          {{- end }}
+            {{ toYaml .Values.containerSecurityContext | nindent 12 }}
           command: [ /bin/bash ]
           args:
           - -ec
@@ -197,6 +187,8 @@ spec:
         - name: {{ .Chart.Name }}-coordinator
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            {{ toYaml .Values.containerSecurityContext | nindent 12 }}
           {{- if or .Values.config.general.env .Values.config.coordinator.env .Values.tls.keystorePasswordSecret }}
           env:
             {{- if .Values.tls.keystorePasswordSecret }}

diff --git a/valeriano-manassero/trino/templates/deployment-worker.yaml b/valeriano-manassero/trino/templates/deployment-worker.yaml
@@ -26,12 +26,8 @@ spec:
         {{- toYaml . | nindent 8 }}
     {{- end }}
     spec:
-      {{- with .Values.image.securityContext }}
       securityContext:
-        runAsUser: {{ .runAsUser }}
-        runAsGroup: {{ .runAsGroup }}
-        fsGroup: {{ .fsGroup }}
-      {{- end }}
+        {{ toYaml .Values.podSecurityContext | nindent 8 }}
       volumes:
         - name: config-volume
           projected:
@@ -84,11 +80,8 @@ spec:
         - name: download-jmx-exporter
           image: {{ .Values.jmxExporter.image.repository }}:{{ .Values.jmxExporter.image.tag }}
           imagePullPolicy: {{ .Values.jmxExporter.image.pullPolicy }}
-          {{- with .Values.image.securityContext }}
           securityContext:
-            runAsUser: {{ .runAsUser }}
-            runAsGroup: {{ .runAsGroup }}
-          {{- end }}
+            {{ toYaml .Values.containerSecurityContext | nindent 12 }}
           args:
             - "--output"
             - "{{ .Values.jmxExporter.path }}/lib/{{ .Values.jmxExporter.jarfile }}"
@@ -108,6 +101,8 @@ spec:
         - name: {{ .Chart.Name }}-worker
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            {{ toYaml .Values.containerSecurityContext | nindent 12 }}
           {{- if or .Values.config.general.env .Values.config.worker.env }}
           env:
             {{- if .Values.config.general.env }}
@@ -193,5 +188,4 @@ spec:
       tolerations:
 {{ toYaml . | indent 8 }}
     {{- end }}
-
 {{- end }}
diff --git a/valeriano-manassero/trino/values.yaml b/valeriano-manassero/trino/values.yaml
@@ -2,10 +2,6 @@ image:
   repository: trinodb/trino
   tag: 426
   pullPolicy: IfNotPresent
-  securityContext:
-    runAsUser: 1000
-    runAsGroup: 1000
-    fsGroup: 1000
 
 fullnameOverride: trino
 
@@ -457,6 +453,22 @@ serviceAccount:
 # sets extra service annotations for the trino server service
 serviceAnnotations: {}
 
+# -- SecurityContext configuration for pods
+podSecurityContext:
+  runAsUser: 1000
+  runAsGroup: 1000
+  fsGroup: 1000
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+
+# -- SecurityContext configuration for containers
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+
 initKeystore:
   image:
     repository: bitnami/java