cspl-2505: add Pod Security standard to restricted (#1266)

* add Pod Security standard to restricted * helm chart changes Signed-off-by: vivekr-splunk <[email protected]> * helm chart packages for 2.5 * removed secret --------- Signed-off-by: vivekr-splunk <[email protected]>
splunk · Jan 16, 2024 · 6bf6d2c · 6bf6d2c
1 parent 9659021
commit 6bf6d2c
Show file tree

Hide file tree

Showing 22 changed files with 430 additions and 313 deletions.
diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
@@ -18,6 +18,13 @@ spec:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
           runAsNonRoot: true
+          capabilities:
+            drop:
+              - "ALL"
+            add:
+              - "NET_BIND_SERVICE"
+          seccompProfile:
+            type: "RuntimeDefault"
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1
         args:
         - "--secure-listen-address=0.0.0.0:8443"

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -17,7 +17,7 @@ spec:
     matchLabels:
       control-plane: controller-manager
       name: splunk-operator
-  strategy: 
+  strategy:
     type: Recreate
   replicas: 1
   template:
@@ -54,6 +54,13 @@ spec:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
           runAsNonRoot: true
+          capabilities:
+            drop:
+              - "ALL"
+            add:
+              - "NET_BIND_SERVICE"
+          seccompProfile:
+            type: "RuntimeDefault"
         livenessProbe:
           httpGet:
             path: /healthz

diff --git a/docs/index.yaml b/docs/index.yaml
@@ -1,9 +1,29 @@
 apiVersion: v1
 entries:
   splunk-enterprise:
+  - apiVersion: v2
+    appVersion: 2.5.0
+    created: "2024-01-10T10:39:11.69467-08:00"
+    dependencies:
+    - condition: splunk-operator.enabled
+      name: splunk-operator
+      repository: file://splunk-operator/helm-chart/splunk-operator
+      version: 2.5.0
+    description: A Helm chart for Splunk Enterprise managed by the Splunk Operator
+    digest: d94805c70ddcc080baf3b70dabe83c58cff00ad770e8373f590c115a7bcfc41d
+    maintainers:
+    - email: [email protected]
+      name: Vivek Reddy
+    - email: [email protected]
+      name: Arjun Kondur
+    name: splunk-enterprise
+    type: application
+    urls:
+    - https://splunk.github.io/splunk-operator/splunk-enterprise-2.5.0.tgz
+    version: 2.5.0
   - apiVersion: v2
     appVersion: 2.4.0
-    created: "2023-10-06T15:35:58.241056-07:00"
+    created: "2024-01-10T10:39:11.65808-08:00"
     dependencies:
     - condition: splunk-operator.enabled
       name: splunk-operator
@@ -25,7 +45,7 @@ entries:
     version: 2.4.0
   - apiVersion: v2
     appVersion: 2.3.0
-    created: "2023-10-06T15:35:58.21754-07:00"
+    created: "2024-01-10T10:39:11.632534-08:00"
     dependencies:
     - condition: splunk-operator.enabled
       name: splunk-operator
@@ -47,7 +67,7 @@ entries:
     version: 2.3.0
   - apiVersion: v2
     appVersion: 2.2.1
-    created: "2023-10-06T15:35:58.202704-07:00"
+    created: "2024-01-10T10:39:11.617484-08:00"
     dependencies:
     - condition: splunk-operator.enabled
       name: splunk-operator
@@ -62,7 +82,7 @@ entries:
     version: 2.2.1
   - apiVersion: v2
     appVersion: 2.2.0
-    created: "2023-10-06T15:35:58.187926-07:00"
+    created: "2024-01-10T10:39:11.60409-08:00"
     dependencies:
     - condition: splunk-operator.enabled
       name: splunk-operator
@@ -77,7 +97,7 @@ entries:
     version: 2.2.0
   - apiVersion: v2
     appVersion: 2.1.0
-    created: "2023-10-06T15:35:58.162232-07:00"
+    created: "2024-01-10T10:39:11.579208-08:00"
     dependencies:
     - condition: splunk-operator.enabled
       name: splunk-operator
@@ -91,9 +111,24 @@ entries:
     - https://splunk.github.io/splunk-operator/splunk-enterprise-1.0.0.tgz
     version: 1.0.0
   splunk-operator:
+  - apiVersion: v2
+    appVersion: 2.5.0
+    created: "2024-01-10T10:39:11.771432-08:00"
+    description: A Helm chart for the Splunk Operator for Kubernetes
+    digest: a57a89d6b0fa0f8479001f097de0ac6a94721a7bfc6dc449e7f5bfb1c9de5d04
+    maintainers:
+    - email: [email protected]
+      name: Vivek Reddy
+    - email: [email protected]
+      name: Arjun Kondur
+    name: splunk-operator
+    type: application
+    urls:
+    - https://splunk.github.io/splunk-operator/splunk-operator-2.5.0.tgz
+    version: 2.5.0
   - apiVersion: v2
     appVersion: 2.4.0
-    created: "2023-10-06T15:35:58.303657-07:00"
+    created: "2024-01-10T10:39:11.7597-08:00"
     description: A Helm chart for the Splunk Operator for Kubernetes
     digest: 9d0377747e46df4bf4b9dbd447c9ff46c926bfe2c66fd07d6d27a61abb31cb42
     maintainers:
@@ -110,7 +145,7 @@ entries:
     version: 2.4.0
   - apiVersion: v2
     appVersion: 2.3.0
-    created: "2023-10-06T15:35:58.291618-07:00"
+    created: "2024-01-10T10:39:11.748073-08:00"
     description: A Helm chart for the Splunk Operator for Kubernetes
     digest: 23e70ec4059bc92920d7d3adce3bff6b8aba0d5eb5d4c0efe225bf3b88d5b274
     maintainers:
@@ -127,7 +162,7 @@ entries:
     version: 2.3.0
   - apiVersion: v2
     appVersion: 2.2.1
-    created: "2023-10-06T15:35:58.278709-07:00"
+    created: "2024-01-10T10:39:11.736045-08:00"
     description: A Helm chart for the Splunk Operator for Kubernetes
     digest: 8868b9ae2ebde0c667b13c97d71d904a31b5a9f2c803b199bc77324f1727e1fd
     name: splunk-operator
@@ -137,7 +172,7 @@ entries:
     version: 2.2.1
   - apiVersion: v2
     appVersion: 2.2.0
-    created: "2023-10-06T15:35:58.264055-07:00"
+    created: "2024-01-10T10:39:11.724252-08:00"
     description: A Helm chart for the Splunk Operator for Kubernetes
     digest: 49c72276bd7ff93465b0545d8b0814f684cade7d2cd191b6d73d4c3660bd1fb4
     name: splunk-operator
@@ -147,12 +182,12 @@ entries:
     version: 2.2.0
   - apiVersion: v2
     appVersion: 2.1.0
-    created: "2023-10-06T15:35:58.252222-07:00"
+    created: "2024-01-10T10:39:11.710038-08:00"
     description: A Helm chart for the Splunk Operator for Kubernetes
     digest: 34e5463f8f5442655d05cb616b50391b738a0827b30d8440b4c7fce99a291d9a
     name: splunk-operator
     type: application
     urls:
     - https://splunk.github.io/splunk-operator/splunk-operator-1.0.0.tgz
     version: 1.0.0
-generated: "2023-10-06T15:35:58.146197-07:00"
+generated: "2024-01-10T10:39:11.564217-08:00"
diff --git a/docs/splunk-enterprise-2.5.0.tgz b/docs/splunk-enterprise-2.5.0.tgz
diff --git a/docs/splunk-operator-2.5.0.tgz b/docs/splunk-operator-2.5.0.tgz
diff --git a/helm-chart/splunk-enterprise/Chart.yaml b/helm-chart/splunk-enterprise/Chart.yaml
@@ -15,22 +15,20 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.4.0
+version: 2.5.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2.4.0"
+appVersion: "2.5.0"
 maintainers:
   - name: Vivek Reddy
     email: [email protected]
   - name: Arjun Kondur
     email: [email protected]
-  - name: Gaurav Gupta
-    email: [email protected]
 dependencies:
 - name: splunk-operator
-  version: "2.3.0"
+  version: "2.5.0"
   repository: "file://splunk-operator/helm-chart/splunk-operator"
   condition: splunk-operator.enabled
diff --git a/helm-chart/splunk-enterprise/charts/splunk-operator-2.5.0.tgz b/helm-chart/splunk-enterprise/charts/splunk-operator-2.5.0.tgz
diff --git a/helm-chart/splunk-enterprise/templates/enterprise_v4_indexercluster.yaml b/helm-chart/splunk-enterprise/templates/enterprise_v4_indexercluster.yaml
@@ -143,7 +143,7 @@ items:
   {{- end }}
 {{- if $.Values.indexerCluster.topologySpreadConstraints }}
   {{- with $.Values.indexerCluster.topologySpreadConstraints }}
-  topologySpreadConstraints:
+    topologySpreadConstraints:
 {{ toYaml . | indent 6 }}
 {{- end }}
 {{- end }}

diff --git a/helm-chart/splunk-enterprise/templates/enterprise_v4_licensemanager.yaml b/helm-chart/splunk-enterprise/templates/enterprise_v4_licensemanager.yaml
@@ -9,12 +9,12 @@ metadata:
 {{ toYaml . | indent 4 }}
 {{- end }}
 {{- with .Values.licenseManager.additionalAnnotations }}
-    annotations:
+  annotations:
 {{ toYaml . | indent 4 }}
   {{- end }}
 spec:
 {{- with .Values.licenseManager.appRepo }}
-  appRepo: 
+  appRepo:
 {{ toYaml . | indent 4 }}
 {{- end }}
 {{- if .Values.existingClusterManager }}
@@ -53,7 +53,7 @@ spec:
   imagePullSecrets:
 {{ toYaml . | indent 4 }}
 {{- end }}
-{{- with .Values.licenseManager.volumes }}      
+{{- with .Values.licenseManager.volumes }}
   volumes:
 {{ toYaml . | indent 4 }}
 {{- end }}

diff --git a/helm-chart/splunk-enterprise/values.yaml b/helm-chart/splunk-enterprise/values.yaml
@@ -240,7 +240,7 @@ clusterManager:
   # Define affinity scheduling rules
   # reference: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#affinity-v1-core
   affinity: {}
-    ## Example: schedule Splunk instance pod on a node in zone-1a 
+    ## Example: schedule Splunk instance pod on a node in zone-1a
     # nodeAffinity:
     #   requiredDuringSchedulingIgnoredDuringExecution:
     #     nodeSelectorTerms:
@@ -385,9 +385,9 @@ searchHeadCluster:
     #     endpoint:
     #     region:
     #     secretRef:
- 
+
   volumes: []
- 
+
   licenseUrl: ""
 
   defaultsUrl: ""
@@ -397,8 +397,8 @@ searchHeadCluster:
   defaultsUrlApps: ""
 
   extraEnv: []
-  # - name: 
-  #   value: 
+  # - name:
+  #   value:
 
   livenessInitialDelaySeconds: 300
 
@@ -438,7 +438,7 @@ searchHeadCluster:
     #   cpu: "4"
     # limits:
     #   memory: "12Gi"
-    #   cpu: "24"  
+    #   cpu: "24"
 
   serviceAccount: ""
 
@@ -598,7 +598,7 @@ licenseManager:
     #     endpoint:
     #     region:
     #     secretRef:
-  
+
   volumes: []
   ## Example: mounting volume containing license in Splunk instance pod container
   # - name: licenses

diff --git a/helm-chart/splunk-operator/Chart.yaml b/helm-chart/splunk-operator/Chart.yaml
@@ -6,8 +6,6 @@ maintainers:
     email: [email protected]
   - name: Arjun Kondur
     email: [email protected]
-  - name: Gaurav Gupta
-    email: [email protected]
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
@@ -21,10 +19,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "2.4.0"
+version: "2.5.0"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2.4.0"
+appVersion: "2.5.0"
diff --git a/helm-chart/splunk-operator/templates/app_download.yaml b/helm-chart/splunk-operator/templates/app_download.yaml
@@ -19,8 +19,8 @@ spec:
       storage: 10Gi
 {{- end }}
   volumeMode: Filesystem
-{{- if $volume.storageClassName }}
-  storageClassName: {{ $volume.storageClassName }}
+{{- if $.Values.splunkOperator.persistentVolumeClaim.storageClassName }}
+  storageClassName: {{ $.Values.splunkOperator.persistentVolumeClaim.storageClassName }}
 {{- end }}
 
 ---

diff --git a/helm-chart/splunk-operator/values.yaml b/helm-chart/splunk-operator/values.yaml
@@ -1,6 +1,9 @@
+splunk-operator:
+  enabled: true
+
 # Splunk image
 image:
-  repository: docker.io/splunk/splunk:9.1.1
+  repository: docker.io/splunk/splunk:9.1.2
 
 # The kube-rbac-proxy is a small HTTP proxy for a single upstream, that can perform RBAC
 # authorization against the Kubernetes API.
@@ -29,7 +32,7 @@ splunkOperator:
   # Splunk operator image and pull policy
   # reference: https://github.com/splunk/splunk-operator
   image:
-    repository: docker.io/splunk/splunk-operator:2.3.0
+    repository: docker.io/splunk/splunk-operator:2.5.0
     pullPolicy: IfNotPresent
 
   # Set image pull secrets to pull image from a private registry
@@ -58,6 +61,15 @@ splunkOperator:
   # reference: https://kubernetes.io/docs/concepts/security/pod-security-policy/#privilege-escalation
   containerSecurityContext:
     allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    capabilities:
+      drop:
+        - "ALL"
+      add:
+        - "NET_BIND_SERVICE"
+    seccompProfile:
+      type: "RuntimeDefault"
 
   # Set security context for Splunk Operator pod
   # reference: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#podsecuritycontext-v1-core
@@ -129,6 +141,10 @@ splunkOperator:
   # reference: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#pod-v1-core
   terminationGracePeriodSeconds: 10
 
+  # Set storageClassName for the PersistentVolumeClaim
+  persistentVolumeClaim:
+    storageClassName: "default"
+
   # Specify volumes for Splunk Operator pod, append additional volumes to list
   # reference: https://kubernetes.io/docs/concepts/storage/volumes/
   volumes: