Skip to content

Commit

Permalink
Add option to configure seLinux and runAs policies (#538)
Browse files Browse the repository at this point in the history
Signed-off-by: Alberto Pimpo <[email protected]>
  • Loading branch information
AlbertoPimpo authored Nov 25, 2024
1 parent 89c9dbb commit 0451d01
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 8 deletions.
4 changes: 2 additions & 2 deletions charts/fluent-bit/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ keywords:
- logging
- fluent-bit
- fluentd
version: 0.48.1
version: 0.48.2
appVersion: 3.2.1
icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/fluentd/fluentbit/icon/fluentbit-icon-color.svg
home: https://fluentbit.io/
Expand All @@ -23,4 +23,4 @@ maintainers:
annotations:
artifacthub.io/changes: |
- kind: changed
description: "Updated configmap-reload image to v0.14.0"
description: "Add option to configure seLinux and runAs policies"
11 changes: 7 additions & 4 deletions charts/fluent-bit/templates/psp.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,12 +20,15 @@ spec:
hostNetwork: {{ .Values.hostNetwork }}
hostIPC: false
hostPID: false
{{- with .Values.podSecurityPolicy.runAsUser }}
runAsUser:
# TODO: Require the container to run without root privileges.
rule: 'RunAsAny'
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.podSecurityPolicy.seLinux }}
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
{{- toYaml . | nindent 4 }}
{{- end }}

supplementalGroups:
rule: 'MustRunAs'
ranges:
Expand Down
8 changes: 6 additions & 2 deletions charts/fluent-bit/templates/scc.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,14 @@ forbiddenSysctls:
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
{{- with .Values.openShift.securityContextConstraints.runAsUser }}
runAsUser:
type: RunAsAny
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.openShift.securityContextConstraints.seLinuxContext }}
seLinuxContext:
type: MustRunAs
{{- toYaml . | nindent 4 }}
{{- end }}
supplementalGroups:
type: RunAsAny
volumes:
Expand Down
9 changes: 9 additions & 0 deletions charts/fluent-bit/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,11 @@ rbac:
podSecurityPolicy:
create: false
annotations: {}
runAsUser:
rule: RunAsAny
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: RunAsAny

# OpenShift-specific configuration
openShift:
Expand All @@ -54,6 +59,10 @@ openShift:
create: true
name: ""
annotations: {}
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
# Use existing SCC in cluster, rather then create new one
existingName: ""

Expand Down

0 comments on commit 0451d01

Please sign in to comment.