diff --git a/charts/kube-proxy/CHANGELOG.md b/charts/kube-proxy/CHANGELOG.md index a3425f08..6ae03609 100644 --- a/charts/kube-proxy/CHANGELOG.md +++ b/charts/kube-proxy/CHANGELOG.md @@ -14,6 +14,12 @@ ## [UNRELEASED] +## [v0.0.5] - 2024-08-01 + +### Fixed + +- Fixed security context. + ## [v0.0.4] - 2024-08-01 ### Fixed @@ -42,6 +48,7 @@ RELEASE LINKS --> [UNRELEASED]: https://github.com/stevehipwell/helm-charts/tree/main/charts/kube-proxy +[v0.0.5]: https://github.com/stevehipwell/helm-charts/releases/tag/kube-proxy-0.0.5 [v0.0.4]: https://github.com/stevehipwell/helm-charts/releases/tag/kube-proxy-0.0.4 [v0.0.3]: https://github.com/stevehipwell/helm-charts/releases/tag/kube-proxy-0.0.3 [v0.0.2]: https://github.com/stevehipwell/helm-charts/releases/tag/kube-proxy-0.0.2 diff --git a/charts/kube-proxy/Chart.yaml b/charts/kube-proxy/Chart.yaml index cf51ebef..ac2c5ff2 100644 --- a/charts/kube-proxy/Chart.yaml +++ b/charts/kube-proxy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kube-proxy description: Helm chart for managing kube-proxy. type: application -version: 0.0.4 +version: 0.0.5 appVersion: 1.30.3 keywords: - kubernetes @@ -20,4 +20,4 @@ maintainers: annotations: artifacthub.io/changes: | - kind: fixed - description: "Removed unknown `logtostderr` arg." + description: "Fixed security context." diff --git a/charts/kube-proxy/README.md b/charts/kube-proxy/README.md index 8beeeba2..8786d731 100644 --- a/charts/kube-proxy/README.md +++ b/charts/kube-proxy/README.md @@ -1,6 +1,6 @@ # kube-proxy -![Version: 0.0.4](https://img.shields.io/badge/Version-0.0.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.30.3](https://img.shields.io/badge/AppVersion-1.30.3-informational?style=flat-square) +![Version: 0.0.5](https://img.shields.io/badge/Version-0.0.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.30.3](https://img.shields.io/badge/AppVersion-1.30.3-informational?style=flat-square) Helm chart for managing kube-proxy. @@ -24,7 +24,7 @@ Helm chart for managing kube-proxy. To install the chart using the recommended OCI method you can use the following command. ```shell -helm upgrade --install kube-proxy oci://ghcr.io/stevehipwell/helm-charts/kube-proxy --version 0.0.4 +helm upgrade --install kube-proxy oci://ghcr.io/stevehipwell/helm-charts/kube-proxy --version 0.0.5 ``` #### Verification @@ -32,7 +32,7 @@ helm upgrade --install kube-proxy oci://ghcr.io/stevehipwell/helm-charts/kube-pr As the OCI chart release is signed by [Cosign](https://github.com/sigstore/cosign) you can verify the chart before installing it by running the following command. ```shell -cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/action-stars/helm-workflows/\.github/workflows/release\.yaml@.+' --certificate-github-workflow-repository stevehipwell/helm-charts --certificate-github-workflow-name Release ghcr.io/stevehipwell/helm-charts/kube-proxy:0.0.4 +cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/action-stars/helm-workflows/\.github/workflows/release\.yaml@.+' --certificate-github-workflow-repository stevehipwell/helm-charts --certificate-github-workflow-name Release ghcr.io/stevehipwell/helm-charts/kube-proxy:0.0.5 ``` ### Non-OCI Repository @@ -41,7 +41,7 @@ Alternatively you can use the legacy non-OCI method via the following commands. ```shell helm repo add stevehipwell https://stevehipwell.github.io/helm-charts/ -helm upgrade --install kube-proxy stevehipwell/kube-proxy --version 0.0.4 +helm upgrade --install kube-proxy stevehipwell/kube-proxy --version 0.0.5 ``` ## Values @@ -59,7 +59,7 @@ helm upgrade --install kube-proxy stevehipwell/kube-proxy --version 0.0.4 | image.tag | string | `nil` | Image tag for the default container, this will default to `.Chart.AppVersion` if not set. | | imagePullSecrets | list | `[]` | Image pull secrets. | | init.enabled | bool | `true` | If `true`, create an init container so the default container can be unprivileged. | -| init.securityContext | object | `{"allowPrivilegeEscalation":true,"privileged":true,"readOnlyRootFilesystem":true,"runAsNonRoot":false}` | Security context for the init container. | +| init.securityContext | object | `{"allowPrivilegeEscalation":true,"privileged":true,"readOnlyRootFilesystem":false,"runAsNonRoot":false}` | Security context for the init container. | | livenessProbe | object | `{"httpGet":{"path":"/livez","port":"http-health"}}` | Liveness probe configuration for the default container. | | logLevel | int | `2` | Log level for kube-proxy. | | minReadySeconds | int | `nil` | Min ready seconds for the `DaemonSet`. | @@ -72,7 +72,7 @@ helm upgrade --install kube-proxy stevehipwell/kube-proxy --version 0.0.4 | rbac.create | bool | `true` | If `true`, create a `ClusterRole` & `ClusterRoleBinding` with access to the Kubernetes API. | | readinessProbe | object | `{"httpGet":{"path":"/healthz","port":"http-health"}}` | Readiness probe configuration for the default container. | | resources | object | `{}` | Resources for the default container. | -| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"add":["NET_ADMIN","SYS_RESOURCE"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":false}` | Security context for the default container; if init is disabled then this needs to be modified to make the default container privileged. | +| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"add":["NET_ADMIN","SYS_RESOURCE"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false}` | Security context for the default container; if init is disabled then this needs to be modified to make the default container privileged. | | selectorLabelsOverride | object | `{}` | If configured replace the default selector labels with these. | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | | serviceAccount.create | bool | `true` | If `true`, create a new `ServiceAccount`. | diff --git a/charts/kube-proxy/values.yaml b/charts/kube-proxy/values.yaml index 6f53d8df..6b3a54cf 100644 --- a/charts/kube-proxy/values.yaml +++ b/charts/kube-proxy/values.yaml @@ -72,14 +72,14 @@ init: securityContext: privileged: true allowPrivilegeEscalation: true - readOnlyRootFilesystem: true + readOnlyRootFilesystem: false runAsNonRoot: false # -- Security context for the default container; if init is disabled then this needs to be modified to make the default container privileged. securityContext: privileged: false allowPrivilegeEscalation: false - readOnlyRootFilesystem: true + readOnlyRootFilesystem: false runAsNonRoot: false capabilities: add: ["NET_ADMIN", "SYS_RESOURCE"]