Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cspl-2505: add Pod Security standard to restricted #1266

Merged
merged 4 commits into from
Jan 16, 2024
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions config/default/manager_auth_proxy_patch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,13 @@ spec:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- "ALL"
add:
- "NET_BIND_SERVICE"
seccompProfile:
type: "RuntimeDefault"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1
args:
- "--secure-listen-address=0.0.0.0:8443"
Expand Down
11 changes: 10 additions & 1 deletion config/manager/manager.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ spec:
matchLabels:
control-plane: controller-manager
name: splunk-operator
strategy:
strategy:
type: Recreate
replicas: 1
template:
Expand All @@ -36,6 +36,8 @@ spec:
hostNetwork: false
hostPID: false
hostIPC: false
imagePullSecrets:
akondur marked this conversation as resolved.
Show resolved Hide resolved
- name: docker-registry
containers:
- command:
- /manager
Expand All @@ -54,6 +56,13 @@ spec:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- "ALL"
add:
- "NET_BIND_SERVICE"
seccompProfile:
type: "RuntimeDefault"
livenessProbe:
httpGet:
path: /healthz
Expand Down
57 changes: 46 additions & 11 deletions docs/index.yaml
Original file line number Diff line number Diff line change
@@ -1,9 +1,29 @@
apiVersion: v1
entries:
splunk-enterprise:
- apiVersion: v2
appVersion: 2.5.0
created: "2024-01-10T10:39:11.69467-08:00"
dependencies:
- condition: splunk-operator.enabled
name: splunk-operator
repository: file://splunk-operator/helm-chart/splunk-operator
version: 2.5.0
description: A Helm chart for Splunk Enterprise managed by the Splunk Operator
digest: d94805c70ddcc080baf3b70dabe83c58cff00ad770e8373f590c115a7bcfc41d
maintainers:
- email: [email protected]
name: Vivek Reddy
- email: [email protected]
name: Arjun Kondur
name: splunk-enterprise
type: application
urls:
- https://splunk.github.io/splunk-operator/splunk-enterprise-2.5.0.tgz
version: 2.5.0
- apiVersion: v2
appVersion: 2.4.0
created: "2023-10-06T15:35:58.241056-07:00"
created: "2024-01-10T10:39:11.65808-08:00"
dependencies:
- condition: splunk-operator.enabled
name: splunk-operator
Expand All @@ -25,7 +45,7 @@ entries:
version: 2.4.0
- apiVersion: v2
appVersion: 2.3.0
created: "2023-10-06T15:35:58.21754-07:00"
created: "2024-01-10T10:39:11.632534-08:00"
dependencies:
- condition: splunk-operator.enabled
name: splunk-operator
Expand All @@ -47,7 +67,7 @@ entries:
version: 2.3.0
- apiVersion: v2
appVersion: 2.2.1
created: "2023-10-06T15:35:58.202704-07:00"
created: "2024-01-10T10:39:11.617484-08:00"
dependencies:
- condition: splunk-operator.enabled
name: splunk-operator
Expand All @@ -62,7 +82,7 @@ entries:
version: 2.2.1
- apiVersion: v2
appVersion: 2.2.0
created: "2023-10-06T15:35:58.187926-07:00"
created: "2024-01-10T10:39:11.60409-08:00"
dependencies:
- condition: splunk-operator.enabled
name: splunk-operator
Expand All @@ -77,7 +97,7 @@ entries:
version: 2.2.0
- apiVersion: v2
appVersion: 2.1.0
created: "2023-10-06T15:35:58.162232-07:00"
created: "2024-01-10T10:39:11.579208-08:00"
dependencies:
- condition: splunk-operator.enabled
name: splunk-operator
Expand All @@ -91,9 +111,24 @@ entries:
- https://splunk.github.io/splunk-operator/splunk-enterprise-1.0.0.tgz
version: 1.0.0
splunk-operator:
- apiVersion: v2
appVersion: 2.5.0
created: "2024-01-10T10:39:11.771432-08:00"
description: A Helm chart for the Splunk Operator for Kubernetes
digest: a57a89d6b0fa0f8479001f097de0ac6a94721a7bfc6dc449e7f5bfb1c9de5d04
maintainers:
- email: [email protected]
name: Vivek Reddy
- email: [email protected]
name: Arjun Kondur
name: splunk-operator
type: application
urls:
- https://splunk.github.io/splunk-operator/splunk-operator-2.5.0.tgz
version: 2.5.0
- apiVersion: v2
appVersion: 2.4.0
created: "2023-10-06T15:35:58.303657-07:00"
created: "2024-01-10T10:39:11.7597-08:00"
description: A Helm chart for the Splunk Operator for Kubernetes
digest: 9d0377747e46df4bf4b9dbd447c9ff46c926bfe2c66fd07d6d27a61abb31cb42
maintainers:
Expand All @@ -110,7 +145,7 @@ entries:
version: 2.4.0
- apiVersion: v2
appVersion: 2.3.0
created: "2023-10-06T15:35:58.291618-07:00"
created: "2024-01-10T10:39:11.748073-08:00"
description: A Helm chart for the Splunk Operator for Kubernetes
digest: 23e70ec4059bc92920d7d3adce3bff6b8aba0d5eb5d4c0efe225bf3b88d5b274
maintainers:
Expand All @@ -127,7 +162,7 @@ entries:
version: 2.3.0
- apiVersion: v2
appVersion: 2.2.1
created: "2023-10-06T15:35:58.278709-07:00"
created: "2024-01-10T10:39:11.736045-08:00"
description: A Helm chart for the Splunk Operator for Kubernetes
digest: 8868b9ae2ebde0c667b13c97d71d904a31b5a9f2c803b199bc77324f1727e1fd
name: splunk-operator
Expand All @@ -137,7 +172,7 @@ entries:
version: 2.2.1
- apiVersion: v2
appVersion: 2.2.0
created: "2023-10-06T15:35:58.264055-07:00"
created: "2024-01-10T10:39:11.724252-08:00"
description: A Helm chart for the Splunk Operator for Kubernetes
digest: 49c72276bd7ff93465b0545d8b0814f684cade7d2cd191b6d73d4c3660bd1fb4
name: splunk-operator
Expand All @@ -147,12 +182,12 @@ entries:
version: 2.2.0
- apiVersion: v2
appVersion: 2.1.0
created: "2023-10-06T15:35:58.252222-07:00"
created: "2024-01-10T10:39:11.710038-08:00"
description: A Helm chart for the Splunk Operator for Kubernetes
digest: 34e5463f8f5442655d05cb616b50391b738a0827b30d8440b4c7fce99a291d9a
name: splunk-operator
type: application
urls:
- https://splunk.github.io/splunk-operator/splunk-operator-1.0.0.tgz
version: 1.0.0
generated: "2023-10-06T15:35:58.146197-07:00"
generated: "2024-01-10T10:39:11.564217-08:00"
Binary file added docs/splunk-enterprise-2.5.0.tgz
Binary file not shown.
Binary file added docs/splunk-operator-2.5.0.tgz
Binary file not shown.
8 changes: 3 additions & 5 deletions helm-chart/splunk-enterprise/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,22 +15,20 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 2.4.0
version: 2.5.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "2.4.0"
appVersion: "2.5.0"
maintainers:
- name: Vivek Reddy
email: [email protected]
- name: Arjun Kondur
email: [email protected]
- name: Gaurav Gupta
email: [email protected]
dependencies:
- name: splunk-operator
version: "2.3.0"
version: "2.5.0"
repository: "file://splunk-operator/helm-chart/splunk-operator"
condition: splunk-operator.enabled
Binary file not shown.
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@ items:
{{- end }}
{{- if $.Values.indexerCluster.topologySpreadConstraints }}
{{- with $.Values.indexerCluster.topologySpreadConstraints }}
topologySpreadConstraints:
topologySpreadConstraints:
{{ toYaml . | indent 6 }}
{{- end }}
{{- end }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,12 @@ metadata:
{{ toYaml . | indent 4 }}
{{- end }}
{{- with .Values.licenseManager.additionalAnnotations }}
annotations:
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
{{- with .Values.licenseManager.appRepo }}
appRepo:
appRepo:
{{ toYaml . | indent 4 }}
{{- end }}
{{- if .Values.existingClusterManager }}
Expand Down Expand Up @@ -53,7 +53,7 @@ spec:
imagePullSecrets:
{{ toYaml . | indent 4 }}
{{- end }}
{{- with .Values.licenseManager.volumes }}
{{- with .Values.licenseManager.volumes }}
volumes:
{{ toYaml . | indent 4 }}
{{- end }}
Expand Down
14 changes: 7 additions & 7 deletions helm-chart/splunk-enterprise/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -240,7 +240,7 @@ clusterManager:
# Define affinity scheduling rules
# reference: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#affinity-v1-core
affinity: {}
## Example: schedule Splunk instance pod on a node in zone-1a
## Example: schedule Splunk instance pod on a node in zone-1a
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
Expand Down Expand Up @@ -385,9 +385,9 @@ searchHeadCluster:
# endpoint:
# region:
# secretRef:

volumes: []

licenseUrl: ""

defaultsUrl: ""
Expand All @@ -397,8 +397,8 @@ searchHeadCluster:
defaultsUrlApps: ""

extraEnv: []
# - name:
# value:
# - name:
# value:

livenessInitialDelaySeconds: 300

Expand Down Expand Up @@ -438,7 +438,7 @@ searchHeadCluster:
# cpu: "4"
# limits:
# memory: "12Gi"
# cpu: "24"
# cpu: "24"

serviceAccount: ""

Expand Down Expand Up @@ -598,7 +598,7 @@ licenseManager:
# endpoint:
# region:
# secretRef:

volumes: []
## Example: mounting volume containing license in Splunk instance pod container
# - name: licenses
Expand Down
6 changes: 2 additions & 4 deletions helm-chart/splunk-operator/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,6 @@ maintainers:
email: [email protected]
- name: Arjun Kondur
email: [email protected]
- name: Gaurav Gupta
email: [email protected]
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
Expand All @@ -21,10 +19,10 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: "2.4.0"
version: "2.5.0"

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "2.4.0"
appVersion: "2.5.0"
4 changes: 2 additions & 2 deletions helm-chart/splunk-operator/templates/app_download.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,8 @@ spec:
storage: 10Gi
{{- end }}
volumeMode: Filesystem
{{- if $volume.storageClassName }}
storageClassName: {{ $volume.storageClassName }}
{{- if $.Values.splunkOperator.persistentVolumeClaim.storageClassName }}
storageClassName: {{ $.Values.splunkOperator.persistentVolumeClaim.storageClassName }}
{{- end }}

---
Expand Down
20 changes: 18 additions & 2 deletions helm-chart/splunk-operator/values.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
splunk-operator:
enabled: true

# Splunk image
image:
repository: docker.io/splunk/splunk:9.1.1
repository: docker.io/splunk/splunk:9.1.2

# The kube-rbac-proxy is a small HTTP proxy for a single upstream, that can perform RBAC
# authorization against the Kubernetes API.
Expand Down Expand Up @@ -29,7 +32,7 @@ splunkOperator:
# Splunk operator image and pull policy
# reference: https://github.com/splunk/splunk-operator
image:
repository: docker.io/splunk/splunk-operator:2.3.0
repository: docker.io/splunk/splunk-operator:2.5.0
pullPolicy: IfNotPresent

# Set image pull secrets to pull image from a private registry
Expand Down Expand Up @@ -58,6 +61,15 @@ splunkOperator:
# reference: https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation
containerSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- "ALL"
add:
- "NET_BIND_SERVICE"
seccompProfile:
type: "RuntimeDefault"

# Set security context for Splunk Operator pod
# reference: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#podsecuritycontext-v1-core
Expand Down Expand Up @@ -129,6 +141,10 @@ splunkOperator:
# reference: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#pod-v1-core
terminationGracePeriodSeconds: 10

# Set storageClassName for the PersistentVolumeClaim
persistentVolumeClaim:
storageClassName: "default"

# Specify volumes for Splunk Operator pod, append additional volumes to list
# reference: https://kubernetes.io/docs/concepts/storage/volumes/
volumes:
Expand Down
Loading
Loading