Remove securitycontext options for now

This commit is contained in:
Waqar Ahmed 2020-12-09 01:46:39 +05:00
parent a9cf23677a
commit d4cd85e0b0
5 changed files with 0 additions and 89 deletions

View File

@ -142,7 +142,6 @@ The following table lists the configurable parameters of the MinIO chart and the
| `certsPath` | Default certs path location | `/etc/minio/certs` |
| `mountPath` | Default mount location for persistent drive | `/export` |
| `bucketRoot` | Directory from where minio should serve buckets. | Value of `.mountPath` |
| `clusterDomain` | domain name of kubernetes cluster where pod is running. | `cluster.local` |
| `service.type` | Kubernetes service type | `ClusterIP` |
| `service.port` | Kubernetes port where service is exposed | `9000` |
| `service.externalIPs` | service external IP addresses | `nil` |
@ -154,10 +153,6 @@ The following table lists the configurable parameters of the MinIO chart and the
| `persistence.accessMode` | ReadWriteOnce or ReadOnly | `ReadWriteOnce` |
| `persistence.subPath` | Mount a sub directory of the persistent volume if set | `""` |
| `resources.requests.memory` | Memory resource requests | Memory: `4Gi` |
| `securityContext.enabled` | Enable to run containers as non-root. NOTE: if `persistence.enabled=false` then securityContext will be automatically disabled | `true` |
| `securityContext.runAsUser` | User id of the user for the container | `1000` |
| `securityContext.runAsGroup` | Group id of the user for the container | `1000` |
| `securityContext.fsGroup` | Group id of the persistent volume mount for the container | `1000` |
| `tls.enabled` | Enable TLS for MinIO server | `false` |
| `tls.certSecret` | Kubernetes Secret with `public.crt` and `private.key` files. | `""` |
| `defaultBucket.enabled` | If set to true, a bucket will be created after MinIO install | `false` |

View File

@ -35,12 +35,6 @@ spec:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
spec:
serviceAccountName: {{ include "minio.serviceAccountName" . | quote }}
{{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
runAsGroup: {{ .Values.securityContext.runAsGroup }}
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"

View File

@ -1,20 +0,0 @@
{{- if and .Values.securityContext.enabled .Values.persistence.enabled (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "minio.serviceAccountName" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
namespace: {{ .Release.Namespace | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "minio.serviceAccountName" . }}
subjects:
- kind: ServiceAccount
name: {{ template "minio.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

View File

@ -1,46 +0,0 @@
{{- if and .Values.securityContext.enabled .Values.persistence.enabled (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
priority: 10
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: []
readOnlyRootFilesystem: false
defaultAddCapabilities: []
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
fsGroup:
type: MustRunAs
ranges:
- max: {{ .Values.securityContext.fsGroup }}
min: {{ .Values.securityContext.fsGroup }}
runAsUser:
type: MustRunAs
uid: {{ .Values.securityContext.runAsUser }}
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
{{- end }}

View File

@ -1,7 +1,3 @@
## set kubernetes cluster domain where minio is running
##
clusterDomain: cluster.local
## Set default image, imageTag, and imagePullPolicy. mode is used to indicate the
##
image:
@ -131,14 +127,6 @@ service:
# prometheus.io/path: '/minio/prometheus/metrics'
# prometheus.io/port: '9000'
## Add stateful containers to have security context, if enabled MinIO will run as this
## user and group NOTE: securityContext is only enabled if persistence.enabled=true
securityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##