From af127ba0769321bc16b614b5aed7b39a92018fe4 Mon Sep 17 00:00:00 2001 From: JustinWang Date: Mon, 4 Dec 2023 10:53:40 +0800 Subject: [PATCH 1/5] Fix the initContainers parameter securityContext to be configurable. Signed-off-by: JustinWang --- charts/opensearch/templates/statefulset.yaml | 5 ++--- charts/opensearch/values.yaml | 14 +++++++++++++- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/charts/opensearch/templates/statefulset.yaml b/charts/opensearch/templates/statefulset.yaml index d5c91a80..5ddfea39 100644 --- a/charts/opensearch/templates/statefulset.yaml +++ b/charts/opensearch/templates/statefulset.yaml @@ -239,7 +239,7 @@ spec: args: - 'chown -R 1000:1000 /usr/share/opensearch/data' securityContext: - runAsUser: 0 + {{- toYaml .Values.persistence.securityContext | nindent 10 }} resources: {{- toYaml .Values.initResources | nindent 10 }} volumeMounts: @@ -261,8 +261,7 @@ spec: sysctl -w vm.max_map_count=$DESIRED fi securityContext: - runAsUser: 0 - privileged: true + {{- toYaml .Values.sysctlInit.securityContext | nindent 10 }} resources: {{- toYaml .Values.initResources | nindent 10 }} {{- end }} diff --git a/charts/opensearch/values.yaml b/charts/opensearch/values.yaml index 090cb0c8..5da9fb06 100644 --- a/charts/opensearch/values.yaml +++ b/charts/opensearch/values.yaml @@ -212,6 +212,11 @@ persistence: - ReadWriteOnce size: 8Gi annotations: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## + securityContext: + runAsUser: 0 extraVolumes: [] # - name: extras @@ -462,11 +467,18 @@ sysctl: ## Set optimal sysctl's through privileged initContainer. sysctlInit: - enabled: false + enabled: true + #enabled: false # override image, which is busybox by default # image: busybox # override image tag, which is latest by default # imageTag: + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## + securityContext: + runAsUser: 0 + privileged: true ## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image. plugins: From 9229c12f75f00cfecc6c2e87314b870b1078ce3f Mon Sep 17 00:00:00 2001 From: JustinWang Date: Tue, 5 Dec 2023 10:01:27 +0800 Subject: [PATCH 2/5] Add CHANGELOG Signed-off-by: JustinWang --- charts/opensearch/CHANGELOG.md | 9 +++++++++ charts/opensearch/Chart.yaml | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/charts/opensearch/CHANGELOG.md b/charts/opensearch/CHANGELOG.md index 87ee8251..3f15c058 100644 --- a/charts/opensearch/CHANGELOG.md +++ b/charts/opensearch/CHANGELOG.md @@ -13,6 +13,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed ### Security --- +## [2.17.1] +### Added +### Changed +- Fix the initContainers parameter securityContext to be configurable. +### Deprecated +### Removed +### Fixed +### Security +--- ## [2.17.0] ### Added - Updated OpenSearch appVersion to 2.11.1 diff --git a/charts/opensearch/Chart.yaml b/charts/opensearch/Chart.yaml index a46d3189..54242ed9 100644 --- a/charts/opensearch/Chart.yaml +++ b/charts/opensearch/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.17.0 +version: 2.17.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to From c2f09f9bfa92db69d2009a0356e6fe6fc7015191 Mon Sep 17 00:00:00 2001 From: JustinWang Date: Tue, 5 Dec 2023 10:03:40 +0800 Subject: [PATCH 3/5] Set sysctlInit.enabled to default value false Signed-off-by: JustinWang --- charts/opensearch/values.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/opensearch/values.yaml b/charts/opensearch/values.yaml index 5da9fb06..c3b89570 100644 --- a/charts/opensearch/values.yaml +++ b/charts/opensearch/values.yaml @@ -467,8 +467,7 @@ sysctl: ## Set optimal sysctl's through privileged initContainer. sysctlInit: - enabled: true - #enabled: false + enabled: false # override image, which is busybox by default # image: busybox # override image tag, which is latest by default From 26b67ec7916fb879b59662cb98c3e0b243564d7f Mon Sep 17 00:00:00 2001 From: opencmit2 <112474703+opencmit2@users.noreply.github.com> Date: Tue, 9 Jan 2024 10:18:29 +0800 Subject: [PATCH 4/5] Update Chart.yaml Signed-off-by: opencmit2 <112474703+opencmit2@users.noreply.github.com> --- charts/opensearch/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/opensearch/Chart.yaml b/charts/opensearch/Chart.yaml index 54242ed9..b40f6979 100644 --- a/charts/opensearch/Chart.yaml +++ b/charts/opensearch/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.17.1 +version: 2.17.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to From 58df476133fab784e2ecabcff1450dae6b277723 Mon Sep 17 00:00:00 2001 From: opencmit2 <112474703+opencmit2@users.noreply.github.com> Date: Tue, 5 Mar 2024 10:01:57 +0800 Subject: [PATCH 5/5] Update Chart.yaml Signed-off-by: opencmit2 <112474703+opencmit2@users.noreply.github.com> --- charts/opensearch/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/opensearch/Chart.yaml b/charts/opensearch/Chart.yaml index b40f6979..1af49c83 100644 --- a/charts/opensearch/Chart.yaml +++ b/charts/opensearch/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.17.2 +version: 2.18.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to