[COMMON] Fix Kyverno policy violations in common/mongodb

- set resourceLimit's for emptyDir volumes
- use non-root group in mongo pods
- make pod filesystem read-only
- bump mongodb chart version from 14.12.2 to 14.12.3
- use new version in portal-ng, nbi, multicloud and dcae-tcagen2

Issue-ID: OOM-3293
Change-Id: Ife7445433337ac97a03f8cd22ad551e8745b9717
Signed-off-by: Fiete Ostkamp <Fiete.Ostkamp@telekom.de>

diff --git a/kubernetes/common/mongodb/Chart.yaml b/kubernetes/common/mongodb/Chart.yaml
index 73c8bab..2d6bf4b 100644 (file)
--- a/kubernetes/common/mongodb/Chart.yaml
+++ b/kubernetes/common/mongodb/Chart.yaml
@@ -16,7 +16,7 @@ annotations:
     - name: os-shell
       image: docker.io/bitnami/os-shell:12-debian-12-r15
 apiVersion: v2
-appVersion: 7.0.5
+appVersion: 7.0.8
 dependencies:
 - name: common
   repository: 'file://./common'
@@ -40,4 +40,4 @@ maintainers:
 name: mongodb
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/mongodb
-version: 14.12.2
+version: 14.12.3

diff --git a/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml b/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml
index 269863f..041b0cb 100644 (file)
--- a/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml
+++ b/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml
@@ -254,6 +254,9 @@ spec:
             - name: empty-dir
               mountPath: /opt/bitnami/mongodb/logs
               subPath: app-logs-dir
+            - name: empty-dir
+              mountPath: /bitnami/mongodb
+              subPath: app-volume-dir
             {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }}
             - name: config
               mountPath: /opt/bitnami/mongodb/conf/mongodb.conf

diff --git a/kubernetes/common/mongodb/templates/backup/cronjob.yaml b/kubernetes/common/mongodb/templates/backup/cronjob.yaml
index 79466e9..2e884b1 100644 (file)
--- a/kubernetes/common/mongodb/templates/backup/cronjob.yaml
+++ b/kubernetes/common/mongodb/templates/backup/cronjob.yaml
@@ -166,14 +166,16 @@ spec:
           restartPolicy: {{ .Values.backup.cronjob.restartPolicy }}
           volumes:
             - name: empty-dir
-              emptyDir: {}
+              emptyDir:
+                sizeLimit: 64Mi
             - name: common-scripts
               configMap:
                 name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
                 defaultMode: 0550
             {{- if .Values.tls.enabled }}
             - name: certs
-              emptyDir: {}
+              emptyDir:
+                sizeLimit: 64Mi
             {{- if (include "mongodb.autoGenerateCerts" .) }}
             - name: certs-volume
               secret:

diff --git a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml
index 5b2a807..08a55eb 100644 (file)
--- a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml
+++ b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml
@@ -514,7 +514,8 @@ spec:
         {{- end }}
       volumes:
         - name: empty-dir
-          emptyDir: {}
+          emptyDir:
+            sizeLimit: 64Mi
         - name: common-scripts
           configMap:
             name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
@@ -531,7 +532,8 @@ spec:
         {{- end }}
         {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }}
         - name: shared
-          emptyDir: {}
+          emptyDir:
+            sizeLimit: 64Mi
         {{- end }}
         - name: scripts
           configMap:
@@ -542,7 +544,8 @@ spec:
         {{- end }}
         {{- if .Values.tls.enabled }}
         - name: certs
-          emptyDir: {}
+          emptyDir:
+            sizeLimit: 64Mi
         {{- if (include "mongodb.autoGenerateCerts" .) }}
         - name: certs-volume
           secret:
@@ -568,8 +571,10 @@ spec:
           {{- if .Values.hidden.persistence.medium }}
           emptyDir:
             medium: {{ .Values.hidden.persistence.medium | quote }}
+            sizeLimit: 64Mi
           {{- else }}
-          emptyDir: {}
+          emptyDir:
+            sizeLimit: 64Mi
           {{- end }}
   {{- else }}
   volumeClaimTemplates:

diff --git a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml
index 55158e8..b171eca 100644 (file)
--- a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml
+++ b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml
@@ -512,7 +512,8 @@ spec:
         {{- end }}
       volumes:
         - name: empty-dir
-          emptyDir: {}
+          emptyDir:
+            sizeLimit: 64Mi
         - name: common-scripts
           configMap:
             name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
@@ -529,7 +530,8 @@ spec:
         {{- end }}
         {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }}
         - name: shared
-          emptyDir: {}
+          emptyDir:
+            sizeLimit: 64Mi
         {{- end }}
         - name: scripts
           configMap:
@@ -540,7 +542,8 @@ spec:
         {{- end }}
         {{- if .Values.tls.enabled }}
         - name: certs
-          emptyDir: {}
+          emptyDir:
+            sizeLimit: 64Mi
         {{- if (include "mongodb.autoGenerateCerts" .) }}
         - name: certs-volume
           secret:
@@ -566,8 +569,10 @@ spec:
           {{- if .Values.persistence.medium }}
           emptyDir:
             medium: {{ .Values.persistence.medium | quote }}
+            sizeLimit: 64Mi
           {{- else }}
-          emptyDir: {}
+          emptyDir:
+            sizeLimit: 64Mi
           {{- end }}
   {{- else }}
   {{- if .Values.persistentVolumeClaimRetentionPolicy.enabled }}

diff --git a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml
index 29dd406..6f63f0b 100644 (file)
--- a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml
+++ b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml
@@ -437,7 +437,8 @@ spec:
         {{- end }}
       volumes:
         - name: empty-dir
-          emptyDir: {}
+          emptyDir:
+            sizeLimit: 64Mi
         - name: common-scripts
           configMap:
             name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }}
@@ -457,7 +458,8 @@ spec:
         {{- end }}
         {{- if .Values.tls.enabled }}
         - name: certs
-          emptyDir: {}
+          emptyDir:
+            sizeLimit: 64Mi
         {{- if (include "mongodb.autoGenerateCerts" .) }}
         - name: certs-volume
           secret:
@@ -481,8 +483,10 @@ spec:
           {{- if .Values.persistence.medium }}
           emptyDir:
             medium: {{ .Values.persistence.medium | quote }}
+            sizeLimit: 64Mi
           {{- else }}
-          emptyDir: {}
+          emptyDir:
+            sizeLimit: 64Mi
           {{- end }}
   {{- else if .Values.persistence.existingClaim }}
         - name: {{ .Values.persistence.name | default "datadir" }}

diff --git a/kubernetes/common/mongodb/values.yaml b/kubernetes/common/mongodb/values.yaml
index 8d995ce..9612859 100644 (file)
--- a/kubernetes/common/mongodb/values.yaml
+++ b/kubernetes/common/mongodb/values.yaml
@@ -120,7 +120,7 @@ diagnosticMode:
 image:
   registry: docker.io
   repository: bitnami/mongodb
-  tag: 7.0.5-debian-12-r5
+  tag: 7.0.8-debian-12-r2
   digest: ""
   ## Specify a imagePullPolicy
   ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
@@ -246,7 +246,7 @@ tls:
   image:
     registry: docker.io
     repository: bitnami/nginx
-    tag: 1.25.4-debian-12-r1
+    tag: 1.25.4-debian-12-r7
     digest: ""
     pullPolicy: IfNotPresent
     ## Optionally specify an array of imagePullSecrets.
@@ -571,15 +571,17 @@ podSecurityContext:
 ##
 containerSecurityContext:
   enabled: true
-  seLinuxOptions: null
+  seLinuxOptions: {}
   runAsUser: 1001
-  runAsGroup: 0
+  runAsGroup: 1001
   runAsNonRoot: true
   privileged: false
-  readOnlyRootFilesystem: false
+  readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   capabilities:
-    drop: ["ALL"]
+    drop:
+      - ALL
+      - CAP_NET_RAW
   seccompProfile:
     type: "RuntimeDefault"
 ## MongoDB(®) containers' resource requests and limits.
@@ -834,7 +836,7 @@ externalAccess:
     image:
       registry: docker.io
       repository: bitnami/kubectl
-      tag: 1.29.2-debian-12-r1
+      tag: 1.29.3-debian-12-r3
       digest: ""
       ## Specify a imagePullPolicy
       ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
@@ -1203,15 +1205,17 @@ backup:
     ##
     containerSecurityContext:
       enabled: true
-      seLinuxOptions: null
+      seLinuxOptions: {}
       runAsUser: 1001
-      runAsGroup: 0
+      runAsGroup: 1001
       runAsNonRoot: true
       privileged: false
-      readOnlyRootFilesystem: false
+      readOnlyRootFilesystem: true
       allowPrivilegeEscalation: false
       capabilities:
-        drop: ["ALL"]
+        drop:
+        - ALL
+        - CAP_NET_RAW
       seccompProfile:
         type: "RuntimeDefault"
     ## @param backup.cronjob.command Set backup container's command to run
@@ -1382,7 +1386,7 @@ volumePermissions:
   image:
     registry: docker.io
     repository: bitnami/os-shell
-    tag: 12-debian-12-r15
+    tag: 12-debian-12-r18
     digest: ""
     ## Specify a imagePullPolicy
     ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
@@ -1429,7 +1433,7 @@ volumePermissions:
   ## @param volumePermissions.securityContext.runAsUser User ID for the volumePermissions container
   ##
   securityContext:
-    seLinuxOptions: null
+    seLinuxOptions: {}
     runAsUser: 0
 ## @section Arbiter parameters
 ##
@@ -1603,15 +1607,17 @@ arbiter:
   ##
   containerSecurityContext:
     enabled: true
-    seLinuxOptions: null
+    seLinuxOptions: {}
     runAsUser: 1001
-    runAsGroup: 0
+    runAsGroup: 1001
     runAsNonRoot: true
     privileged: false
-    readOnlyRootFilesystem: false
+    readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
     capabilities:
-      drop: ["ALL"]
+      drop:
+        - ALL
+        - CAP_NET_RAW
     seccompProfile:
       type: "RuntimeDefault"
   ## MongoDB(®) Arbiter containers' resource requests and limits.
@@ -1946,15 +1952,17 @@ hidden:
   ##
   containerSecurityContext:
     enabled: true
-    seLinuxOptions: null
+    seLinuxOptions: {}
     runAsUser: 1001
-    runAsGroup: 0
+    runAsGroup: 1001
     runAsNonRoot: true
     privileged: false
-    readOnlyRootFilesystem: false
+    readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
     capabilities:
-      drop: ["ALL"]
+      drop:
+        - ALL
+        - CAP_NET_RAW
     seccompProfile:
       type: "RuntimeDefault"
   ## MongoDB(®) Hidden containers' resource requests and limits.
@@ -2180,7 +2188,7 @@ metrics:
   image:
     registry: docker.io
     repository: bitnami/mongodb-exporter
-    tag: 0.40.0-debian-12-r11
+    tag: 0.40.0-debian-12-r15
     digest: ""
     pullPolicy: IfNotPresent
     ## Optionally specify an array of imagePullSecrets.

diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml
index ffddeb5..7b30414 100644 (file)
--- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml
@@ -41,5 +41,5 @@ dependencies:
     version: ~13.x-0
     repository: '@local'
   - name: mongodb
-    version: 14.12.2
+    version: 14.12.3
     repository: '@local'
\ No newline at end of file

diff --git a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml
index 4099f82..8d50814 100644 (file)
--- a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml
+++ b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml
@@ -27,7 +27,7 @@ dependencies:
     # be published independently to a repo (at this point)
     repository: '@local'
   - name: mongodb
-    version: 14.12.2
+    version: 14.12.3
     repository: '@local'
   - name: etcd
     version: ~13.x-0

diff --git a/kubernetes/nbi/Chart.yaml b/kubernetes/nbi/Chart.yaml
index 25f307c..6f403f7 100644 (file)
--- a/kubernetes/nbi/Chart.yaml
+++ b/kubernetes/nbi/Chart.yaml
@@ -27,7 +27,7 @@ dependencies:
     # be published independently to a repo (at this point)
     repository: '@local'
   - name: mongodb
-    version: 14.12.2
+    version: 14.12.3
     repository: '@local'
   - name: mariadb-galera
     version: ~13.x-0

diff --git a/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml
index 27e7f58..14a0f94 100644 (file)
--- a/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml
+++ b/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml
@@ -47,5 +47,5 @@ dependencies:
     version: ~13.x-0
     repository: '@local'
   - name: mongodb
-    version: 14.12.2
+    version: 14.12.3
     repository: '@local'

diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml
index 2ec186a..30b0944 100644 (file)
--- a/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml
+++ b/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml
@@ -47,7 +47,7 @@ dependencies:
     version: ~13.x-0
     repository: '@local'
   - name: mongodb
-    version: 14.12.2
+    version: 14.12.3
     repository: '@local'