Remove securitycontext options for now
This commit is contained in:
Waqar Ahmed
parent
a9cf23677a
commit
d4cd85e0b0
|
|
@ -142,7 +142,6 @@ The following table lists the configurable parameters of the MinIO chart and the
|
|||
| `certsPath` | Default certs path location | `/etc/minio/certs` |
|
||||
| `mountPath` | Default mount location for persistent drive | `/export` |
|
||||
| `bucketRoot` | Directory from where minio should serve buckets. | Value of `.mountPath` |
|
||||
| `clusterDomain` | domain name of kubernetes cluster where pod is running. | `cluster.local` |
|
||||
| `service.type` | Kubernetes service type | `ClusterIP` |
|
||||
| `service.port` | Kubernetes port where service is exposed | `9000` |
|
||||
| `service.externalIPs` | service external IP addresses | `nil` |
|
||||
|
|
@ -154,10 +153,6 @@ The following table lists the configurable parameters of the MinIO chart and the
|
|||
| `persistence.accessMode` | ReadWriteOnce or ReadOnly | `ReadWriteOnce` |
|
||||
| `persistence.subPath` | Mount a sub directory of the persistent volume if set | `""` |
|
||||
| `resources.requests.memory` | Memory resource requests | Memory: `4Gi` |
|
||||
| `securityContext.enabled` | Enable to run containers as non-root. NOTE: if `persistence.enabled=false` then securityContext will be automatically disabled | `true` |
|
||||
| `securityContext.runAsUser` | User id of the user for the container | `1000` |
|
||||
| `securityContext.runAsGroup` | Group id of the user for the container | `1000` |
|
||||
| `securityContext.fsGroup` | Group id of the persistent volume mount for the container | `1000` |
|
||||
| `tls.enabled` | Enable TLS for MinIO server | `false` |
|
||||
| `tls.certSecret` | Kubernetes Secret with `public.crt` and `private.key` files. | `""` |
|
||||
| `defaultBucket.enabled` | If set to true, a bucket will be created after MinIO install | `false` |
|
||||
|
|
|
|||
|
|
@ -35,12 +35,6 @@ spec:
|
|||
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
|
||||
spec:
|
||||
serviceAccountName: {{ include "minio.serviceAccountName" . | quote }}
|
||||
{{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
|
||||
securityContext:
|
||||
runAsUser: {{ .Values.securityContext.runAsUser }}
|
||||
runAsGroup: {{ .Values.securityContext.runAsGroup }}
|
||||
fsGroup: {{ .Values.securityContext.fsGroup }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
||||
|
|
|
|||
|
|
@ -1,20 +0,0 @@
|
|||
{{- if and .Values.securityContext.enabled .Values.persistence.enabled (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ template "minio.serviceAccountName" . }}
|
||||
labels:
|
||||
app: {{ template "minio.name" . }}
|
||||
chart: {{ template "minio.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "minio.serviceAccountName" . }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "minio.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
{{- end }}
|
||||
|
|
@ -1,46 +0,0 @@
|
|||
{{- if and .Values.securityContext.enabled .Values.persistence.enabled (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
|
||||
apiVersion: security.openshift.io/v1
|
||||
kind: SecurityContextConstraints
|
||||
metadata:
|
||||
name: {{ template "minio.fullname" . }}
|
||||
labels:
|
||||
app: {{ template "minio.name" . }}
|
||||
chart: {{ template "minio.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
priority: 10
|
||||
allowHostDirVolumePlugin: false
|
||||
allowHostIPC: false
|
||||
allowHostNetwork: false
|
||||
allowHostPID: false
|
||||
allowHostPorts: false
|
||||
allowPrivilegeEscalation: true
|
||||
allowPrivilegedContainer: false
|
||||
allowedCapabilities: []
|
||||
readOnlyRootFilesystem: false
|
||||
defaultAddCapabilities: []
|
||||
requiredDropCapabilities:
|
||||
- KILL
|
||||
- MKNOD
|
||||
- SETUID
|
||||
- SETGID
|
||||
fsGroup:
|
||||
type: MustRunAs
|
||||
ranges:
|
||||
- max: {{ .Values.securityContext.fsGroup }}
|
||||
min: {{ .Values.securityContext.fsGroup }}
|
||||
runAsUser:
|
||||
type: MustRunAs
|
||||
uid: {{ .Values.securityContext.runAsUser }}
|
||||
seLinuxContext:
|
||||
type: MustRunAs
|
||||
supplementalGroups:
|
||||
type: RunAsAny
|
||||
volumes:
|
||||
- configMap
|
||||
- downwardAPI
|
||||
- emptyDir
|
||||
- persistentVolumeClaim
|
||||
- projected
|
||||
- secret
|
||||
{{- end }}
|
||||
|
|
@ -1,7 +1,3 @@
|
|||
## set kubernetes cluster domain where minio is running
|
||||
##
|
||||
clusterDomain: cluster.local
|
||||
|
||||
## Set default image, imageTag, and imagePullPolicy. mode is used to indicate the
|
||||
##
|
||||
image:
|
||||
|
|
@ -131,14 +127,6 @@ service:
|
|||
# prometheus.io/path: '/minio/prometheus/metrics'
|
||||
# prometheus.io/port: '9000'
|
||||
|
||||
## Add stateful containers to have security context, if enabled MinIO will run as this
|
||||
## user and group NOTE: securityContext is only enabled if persistence.enabled=true
|
||||
securityContext:
|
||||
enabled: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
|
||||
## Configure resource requests and limits
|
||||
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
|
||||
##
|
||||
|
|
|
|||
Loading…
Reference in New Issue