From 2129571b7fd5b4425b5b1140c832763a71056beb Mon Sep 17 00:00:00 2001 From: Valeriano Manassero <14011549+valeriano-manassero@users.noreply.github.com> Date: Wed, 25 Oct 2023 09:16:28 +0200 Subject: [PATCH] 189 trino supporting more variables for securitycontext for pod and container level (#190) * Changed: securityContext for pods and containers * Changed: bump up version * Changed: bump up helm-docs version * Changed: upgrade kind k8s versions * Changed: support for k8s 1.28 * Fixed: default securityContexts * Fixed: trailing space * Fixed: container missing securityContext --- .github/workflows/ci.yaml | 7 ++++--- valeriano-manassero/trino/Chart.yaml | 6 +++--- valeriano-manassero/trino/README.md | 11 +++++----- .../templates/deployment-coordinator.yaml | 18 +++++------------ .../trino/templates/deployment-worker.yaml | 14 ++++--------- valeriano-manassero/trino/values.yaml | 20 +++++++++++++++---- 6 files changed, 37 insertions(+), 39 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 68c6a9d..27d4538 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -23,9 +23,10 @@ jobs: strategy: matrix: k8s: - - v1.25.8 - - v1.26.3 - - v1.27.0 + - v1.25.11 + - v1.26.6 + - v1.27.3 + - v1.28.0 steps: - name: Checkout uses: actions/checkout@v3.5.0 diff --git a/valeriano-manassero/trino/Chart.yaml b/valeriano-manassero/trino/Chart.yaml index c3ec88a..e7e5eff 100644 --- a/valeriano-manassero/trino/Chart.yaml +++ b/valeriano-manassero/trino/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v1 appVersion: "426" description: High performance, distributed SQL query engine for big data name: trino -version: 7.0.0 -kubeVersion: ">= 1.24.0-0 < 1.28.0-0" +version: 8.0.0 +kubeVersion: ">= 1.24.0-0 < 1.29.0-0" home: https://trino.io icon: https://trino.io/assets/images/trino-logo/trino-ko_tiny-alt.svg sources: @@ -27,4 +27,4 @@ keywords: annotations: artifacthub.io/changes: | - kind: changed - description: Switch to the -XX:InitialRAMPercentage and -XX:MaxRAMPercentage instead of -Xmx flag + description: enanched SecurityContext for pod and containers diff --git a/valeriano-manassero/trino/README.md b/valeriano-manassero/trino/README.md index 010670f..9a3fdcd 100644 --- a/valeriano-manassero/trino/README.md +++ b/valeriano-manassero/trino/README.md @@ -1,6 +1,6 @@ # trino -![Version: 7.0.0](https://img.shields.io/badge/Version-7.0.0-informational?style=flat-square) ![AppVersion: 426](https://img.shields.io/badge/AppVersion-426-informational?style=flat-square) +![Version: 8.0.0](https://img.shields.io/badge/Version-8.0.0-informational?style=flat-square) ![AppVersion: 426](https://img.shields.io/badge/AppVersion-426-informational?style=flat-square) High performance, distributed SQL query engine for big data @@ -19,7 +19,7 @@ High performance, distributed SQL query engine for big data ## Requirements -Kubernetes: `>= 1.24.0-0 < 1.28.0-0` +Kubernetes: `>= 1.24.0-0 < 1.29.0-0` ## Values @@ -87,15 +87,13 @@ Kubernetes: `>= 1.24.0-0 < 1.28.0-0` | config.worker.tolerations | list | `[]` | | | configMapMounts | list | `[]` | | | connectors | object | `{}` | | +| containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | SecurityContext configuration for containers | | eventListenerProperties | object | `{}` | | | faultTolerance.enabled | bool | `false` | | | fullnameOverride | string | `"trino"` | | | groupProvider | object | `{}` | | | image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"trinodb/trino"` | | -| image.securityContext.fsGroup | int | `1000` | | -| image.securityContext.runAsGroup | int | `1000` | | -| image.securityContext.runAsUser | int | `1000` | | | image.tag | int | `426` | | | imagePullSecrets | list | `[]` | | | ingress.annotations | object | `{}` | | @@ -122,6 +120,7 @@ Kubernetes: `>= 1.24.0-0 < 1.28.0-0` | jmxExporter.serviceMonitor.scrapeTimeout | string | `"10s"` | | | jmxExporter.worker.enabled | bool | `false` | | | passwordAuthenticatorProperties | object | `{}` | Password authenticator configuration, an item per conf line. Requiere `config.general.authenticationType` set to `PASSWORD`. For file : you don't need to use this propertie if you set `config.general.authenticationType` to `PASSWORD` and use `config.auth` to fill `auth/password.db`. For LDAP : https://trino.io/docs/current/security/ldap.html. For SalesForce : https://trino.io/docs/current/security/salesforce.html | +| podSecurityContext | object | `{"fsGroup":1000,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}` | SecurityContext configuration for pods | | resourceGroups | object | `{}` | | | schemas | object | `{}` | | | secretMounts | list | `[]` | | @@ -138,4 +137,4 @@ Kubernetes: `>= 1.24.0-0 < 1.28.0-0` | tls.tlsEncryptionSecretName | string | `""` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +Autogenerated from chart metadata using [helm-docs v1.11.2](https://github.com/norwoodj/helm-docs/releases/v1.11.2) diff --git a/valeriano-manassero/trino/templates/deployment-coordinator.yaml b/valeriano-manassero/trino/templates/deployment-coordinator.yaml index 261bd7a..b16f80b 100644 --- a/valeriano-manassero/trino/templates/deployment-coordinator.yaml +++ b/valeriano-manassero/trino/templates/deployment-coordinator.yaml @@ -25,12 +25,8 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.image.securityContext }} securityContext: - runAsUser: {{ .runAsUser }} - runAsGroup: {{ .runAsGroup }} - fsGroup: {{ .fsGroup }} - {{- end }} + {{ toYaml .Values.podSecurityContext | nindent 8 }} volumes: - name: config-volume projected: @@ -120,11 +116,8 @@ spec: - name: download-jmx-exporter image: {{ .Values.jmxExporter.image.repository }}:{{ .Values.jmxExporter.image.tag }} imagePullPolicy: {{ .Values.jmxExporter.image.pullPolicy }} - {{- with .Values.image.securityContext }} securityContext: - runAsUser: {{ .runAsUser }} - runAsGroup: {{ .runAsGroup }} - {{- end }} + {{ toYaml .Values.containerSecurityContext | nindent 12 }} args: - "--output" - "{{ .Values.jmxExporter.path }}/lib/{{ .Values.jmxExporter.jarfile }}" @@ -137,11 +130,8 @@ spec: - name: init-certs image: {{ .Values.initKeystore.image.repository }}:{{ .Values.initKeystore.image.tag }} imagePullPolicy: {{ .Values.initKeystore.image.pullPolicy }} - {{- with .Values.image.securityContext }} securityContext: - runAsUser: {{ .runAsUser }} - runAsGroup: {{ .runAsGroup }} - {{- end }} + {{ toYaml .Values.containerSecurityContext | nindent 12 }} command: [ /bin/bash ] args: - -ec @@ -197,6 +187,8 @@ spec: - name: {{ .Chart.Name }}-coordinator image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{ toYaml .Values.containerSecurityContext | nindent 12 }} {{- if or .Values.config.general.env .Values.config.coordinator.env .Values.tls.keystorePasswordSecret }} env: {{- if .Values.tls.keystorePasswordSecret }} diff --git a/valeriano-manassero/trino/templates/deployment-worker.yaml b/valeriano-manassero/trino/templates/deployment-worker.yaml index a9cf4f6..f6a4a62 100644 --- a/valeriano-manassero/trino/templates/deployment-worker.yaml +++ b/valeriano-manassero/trino/templates/deployment-worker.yaml @@ -26,12 +26,8 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.image.securityContext }} securityContext: - runAsUser: {{ .runAsUser }} - runAsGroup: {{ .runAsGroup }} - fsGroup: {{ .fsGroup }} - {{- end }} + {{ toYaml .Values.podSecurityContext | nindent 8 }} volumes: - name: config-volume projected: @@ -84,11 +80,8 @@ spec: - name: download-jmx-exporter image: {{ .Values.jmxExporter.image.repository }}:{{ .Values.jmxExporter.image.tag }} imagePullPolicy: {{ .Values.jmxExporter.image.pullPolicy }} - {{- with .Values.image.securityContext }} securityContext: - runAsUser: {{ .runAsUser }} - runAsGroup: {{ .runAsGroup }} - {{- end }} + {{ toYaml .Values.containerSecurityContext | nindent 12 }} args: - "--output" - "{{ .Values.jmxExporter.path }}/lib/{{ .Values.jmxExporter.jarfile }}" @@ -108,6 +101,8 @@ spec: - name: {{ .Chart.Name }}-worker image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{ toYaml .Values.containerSecurityContext | nindent 12 }} {{- if or .Values.config.general.env .Values.config.worker.env }} env: {{- if .Values.config.general.env }} @@ -193,5 +188,4 @@ spec: tolerations: {{ toYaml . | indent 8 }} {{- end }} - {{- end }} diff --git a/valeriano-manassero/trino/values.yaml b/valeriano-manassero/trino/values.yaml index 4fc62ab..c6d9e10 100644 --- a/valeriano-manassero/trino/values.yaml +++ b/valeriano-manassero/trino/values.yaml @@ -2,10 +2,6 @@ image: repository: trinodb/trino tag: 426 pullPolicy: IfNotPresent - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 fullnameOverride: trino @@ -457,6 +453,22 @@ serviceAccount: # sets extra service annotations for the trino server service serviceAnnotations: {} +# -- SecurityContext configuration for pods +podSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + +# -- SecurityContext configuration for containers +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initKeystore: image: repository: bitnami/java