[bump] ocean-kubernetes-controller - v2.0.67 (#157)

* bump ocean-kubernetes-controller app version to 2.0.67 * bump fluentbit 3.1.9 * adjust security context for openshift support --------- Co-authored-by: Roi Kramer <[email protected]> Co-authored-by: spotinst-ci <[email protected]>
spotinst · Oct 31, 2024 · a80f4e4 · a80f4e4
1 parent e74f76d
commit a80f4e4
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 29 deletions.
diff --git a/charts/ocean-kubernetes-controller/Chart.yaml b/charts/ocean-kubernetes-controller/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: ocean-kubernetes-controller
 description: A Helm chart for Ocean Kubernetes Controller
 type: application
-version: 0.1.55
-appVersion: 2.0.66
+version: 0.1.56
+appVersion: 2.0.67
 kubeVersion: ">=1.20.0-0"
 maintainers:
   - name: spotinst

diff --git a/charts/ocean-kubernetes-controller/README.md b/charts/ocean-kubernetes-controller/README.md
@@ -1,6 +1,6 @@
 # ocean-kubernetes-controller
 
-![Version: 0.1.55](https://img.shields.io/badge/Version-0.1.55-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.66](https://img.shields.io/badge/AppVersion-2.0.66-informational?style=flat-square)
+![Version: 0.1.56](https://img.shields.io/badge/Version-0.1.56-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.67](https://img.shields.io/badge/AppVersion-2.0.67-informational?style=flat-square)
 
 A Helm chart for Ocean Kubernetes Controller.
 
@@ -74,7 +74,7 @@ Kubernetes: `>=1.20.0-0`
 | autoUpdate.image.repository | string | `"us-docker.pkg.dev/spotit-today/container-labs/auto-updater"` | Image repository. (Optional) |
 | autoUpdate.image.tag | string | `"latest"` | Overrides the image tag. (Optional) |
 | autoUpdate.imagePullSecrets | list | `[]` | Image pull secrets. (Optional) |
-| autoUpdate.podSecurityContext | object | `{"fsGroup":10001,"runAsGroup":10001,"runAsNonRoot":true,"runAsUser":10001}` | Pod Security Context for the auto-updater job. (Optional) Ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/ |
+| autoUpdate.podSecurityContext | object | `{"fsGroup":1000690000,"runAsGroup":1000690000,"runAsNonRoot":true,"runAsUser":1000690000}` | Pod Security Context for the auto-updater job. (Optional) Ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/ |
 | autoUpdate.priorityClassName | string | `"system-cluster-critical"` | Priority class name for the auto-updater job. Defaults to the same priority class as the controller to prevent eviction. (Optional) |
 | autoUpdate.resources | object | `{"limits":{"cpu":"100m","memory":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}}` | Resource requests and limits for the auto-updater job. Defaults to 100m CPU and 256Mi memory to make the job run with 'Guranteed' QoS. (Optional) |
 | autoUpdate.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Security Context for the auto-updater container. (Optional) |
@@ -103,10 +103,10 @@ Kubernetes: `>=1.20.0-0`
 | livenessProbe.httpGet.port | string | `"readiness"` |  |
 | livenessProbe.initialDelaySeconds | int | `15` |  |
 | livenessProbe.periodSeconds | int | `20` |  |
-| logShipping | object | `{"command":["/fluent-bit/bin/fluent-bit","-c","/tmp/fluent-bit.conf","-q"],"destination":{"host":"api.spotinst.io","port":443,"tls":true},"enabled":true,"extraEnv":[],"extraVolumeMounts":[],"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/fluent/fluent-bit","tag":"3.0.7"}}` | Log Shipping configuration. |
+| logShipping | object | `{"command":["/fluent-bit/bin/fluent-bit","-c","/tmp/fluent-bit.conf","-q"],"destination":{"host":"api.spotinst.io","port":443,"tls":true},"enabled":true,"extraEnv":[],"extraVolumeMounts":[],"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/fluent/fluent-bit","tag":"3.1.9"}}` | Log Shipping configuration. |
 | logShipping.destination | object | `{"host":"api.spotinst.io","port":443,"tls":true}` | Log shipping destination configuration. |
 | logShipping.enabled | bool | `true` | Specifies whether to send the controller logs to Spot for analysis. (Optional) |
-| logShipping.image | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/fluent/fluent-bit","tag":"3.0.7"}` | Specifies the log shipping container image. (Optional) |
+| logShipping.image | object | `{"pullPolicy":"IfNotPresent","repository":"ghcr.io/fluent/fluent-bit","tag":"3.1.9"}` | Specifies the log shipping container image. (Optional) |
 | metrics-server.args | list | `["--logtostderr"]` | Arguments to pass to metrics-server on start up. (Optional) |
 | metrics-server.deployChart | bool | `true` | Specifies whether the metrics-server chart should be deployed. (Optional) |
 | metrics-server.image.pullPolicy | string | `"IfNotPresent"` |  |
@@ -116,10 +116,10 @@ Kubernetes: `>=1.20.0-0`
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
 | podLabels | object | `{}` |  |
-| podSecurityContext.fsGroup | int | `10001` |  |
-| podSecurityContext.runAsGroup | int | `10001` |  |
+| podSecurityContext.fsGroup | int | `1000690000` |  |
+| podSecurityContext.runAsGroup | int | `1000690000` |  |
 | podSecurityContext.runAsNonRoot | bool | `true` |  |
-| podSecurityContext.runAsUser | int | `10001` |  |
+| podSecurityContext.runAsUser | int | `1000690000` |  |
 | priorityClassName | string | `"system-node-critical"` | Priority class name for the controller pod. |
 | readinessProbe.httpGet.path | string | `"/readyz"` |  |
 | readinessProbe.httpGet.port | string | `"readiness"` |  |

diff --git a/charts/ocean-kubernetes-controller/templates/clusterrole.yaml b/charts/ocean-kubernetes-controller/templates/clusterrole.yaml
@@ -73,19 +73,6 @@ rules:
   resourceNames: ["kubernetes.io/kubelet-serving", "kubernetes.io/kube-apiserver-client-kubelet"]
   verbs: ["approve"]
 {{- end }}
-{{- if not .Values.spotinst.disableAutoUpdate }}
-# ---------------------------------------------------------------------------
-# feature: ocean/auto-update
-# ---------------------------------------------------------------------------
-- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["clusterroles"]
-  resourceNames: ["spotinst-kubernetes-cluster-controller"]
-  verbs: ["patch", "update", "escalate"]
-- apiGroups: ["apps"]
-  resources: ["deployments"]
-  resourceNames: ["spotinst-kubernetes-cluster-controller"]
-  verbs: ["patch", "update"]
-{{- end }}
 # ---------------------------------------------------------------------------
 # feature: ocean/apply
 # ---------------------------------------------------------------------------

diff --git a/charts/ocean-kubernetes-controller/values.yaml b/charts/ocean-kubernetes-controller/values.yaml
@@ -81,9 +81,9 @@ commonLabels: {}
 # Ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/
 podSecurityContext:
   runAsNonRoot: true
-  runAsUser: 10001
-  runAsGroup: 10001
-  fsGroup: 10001
+  runAsUser: 1000690000
+  runAsGroup: 1000690000
+  fsGroup: 1000690000
 
 # -- Priority class name for the controller pod.
 priorityClassName: system-node-critical
@@ -207,7 +207,7 @@ logShipping:
   # -- Specifies the log shipping container image. (Optional)
   image:
     repository: ghcr.io/fluent/fluent-bit
-    tag: "3.0.7"
+    tag: "3.1.9"
     pullPolicy: IfNotPresent
 
   # -- Log shipping destination configuration.
@@ -244,9 +244,9 @@ autoUpdate:
   # Ref: https://kubernetes.io/docs/concepts/security/pod-security-standards/
   podSecurityContext:
     runAsNonRoot: true
-    runAsUser: 10001
-    runAsGroup: 10001
-    fsGroup: 10001
+    runAsUser: 1000690000
+    runAsGroup: 1000690000
+    fsGroup: 1000690000
 
   # -- Security Context for the auto-updater container. (Optional)
   securityContext: