From fcc5ac9c196bc576637222d78024720a0f05665e Mon Sep 17 00:00:00 2001 From: Greg Smith <65406958+gsmith-sas@users.noreply.github.com> Date: Wed, 4 Dec 2024 17:15:57 -0500 Subject: [PATCH] [SECURITY] Set seccompProfile to RuntimeDefault for OpenSearch, OpenSearch Dashboards and Fluent Bit pods --- CHANGELOG.md | 5 +++++ logging/fb/fluent-bit_helm_values_azmonitor.yaml | 4 ++++ logging/fb/fluent-bit_helm_values_events.yaml | 4 ++++ logging/fb/fluent-bit_helm_values_opensearch.yaml | 4 ++++ logging/opensearch/opensearch_helm_values.yaml | 5 +++++ logging/opensearch/osd_helm_values.yaml | 5 +++++ logging/openshift/values-fluent-bit-events.yaml | 1 + logging/openshift/values-fluent-bit.yaml | 1 + 8 files changed, 29 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8dae7a21..1b8daf90 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # SAS Viya Monitoring for Kubernetes +## Unreleased +* **Logging** + * [SECURITY] Set `seccompProfile` to `RuntimeDefault` for OpenSearch, OpenSearch Dashboards and Fluent Bit pods in +non-OpenShift environments. + ## Version 1.2.31 (15NOV2024) * **Logging** * [UPGRADE] OpenSearch and OpenSearch Dashboards upgraded from 2.15.0 to 2.17.1 diff --git a/logging/fb/fluent-bit_helm_values_azmonitor.yaml b/logging/fb/fluent-bit_helm_values_azmonitor.yaml index f232b1c2..9f298d37 100644 --- a/logging/fb/fluent-bit_helm_values_azmonitor.yaml +++ b/logging/fb/fluent-bit_helm_values_azmonitor.yaml @@ -69,3 +69,7 @@ resources: requests: cpu: 100m memory: 128Mi + +podSecurityContext: + seccompProfile: + type: RuntimeDefault diff --git a/logging/fb/fluent-bit_helm_values_events.yaml b/logging/fb/fluent-bit_helm_values_events.yaml index 60fc1e58..d1b56f19 100644 --- a/logging/fb/fluent-bit_helm_values_events.yaml +++ b/logging/fb/fluent-bit_helm_values_events.yaml @@ -38,6 +38,10 @@ securityContext: runAsUser: 1001 readOnlyRootFilesystem: true +podSecurityContext: + seccompProfile: + type: RuntimeDefault + resources: # limits: # cpu: 100m diff --git a/logging/fb/fluent-bit_helm_values_opensearch.yaml b/logging/fb/fluent-bit_helm_values_opensearch.yaml index 0d66e6ff..6d276b28 100644 --- a/logging/fb/fluent-bit_helm_values_opensearch.yaml +++ b/logging/fb/fluent-bit_helm_values_opensearch.yaml @@ -63,3 +63,7 @@ resources: requests: cpu: 100m memory: 128Mi + +podSecurityContext: + seccompProfile: + type: RuntimeDefault diff --git a/logging/opensearch/opensearch_helm_values.yaml b/logging/opensearch/opensearch_helm_values.yaml index 71583dad..6bf2b0f4 100644 --- a/logging/opensearch/opensearch_helm_values.yaml +++ b/logging/opensearch/opensearch_helm_values.yaml @@ -175,3 +175,8 @@ sysctlInit: #sysctlVmMaxMapCount: # 262144 + + +podSecurityContext: + seccompProfile: + type: RuntimeDefault diff --git a/logging/opensearch/osd_helm_values.yaml b/logging/opensearch/osd_helm_values.yaml index dc33d570..3c823609 100644 --- a/logging/opensearch/osd_helm_values.yaml +++ b/logging/opensearch/osd_helm_values.yaml @@ -69,3 +69,8 @@ config: securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false + +podSecurityContext: + seccompProfile: + type: RuntimeDefault + diff --git a/logging/openshift/values-fluent-bit-events.yaml b/logging/openshift/values-fluent-bit-events.yaml index 21a883af..9b518a99 100644 --- a/logging/openshift/values-fluent-bit-events.yaml +++ b/logging/openshift/values-fluent-bit-events.yaml @@ -1,3 +1,4 @@ +podSecurityContext: null securityContext: privileged: true openShift: diff --git a/logging/openshift/values-fluent-bit.yaml b/logging/openshift/values-fluent-bit.yaml index 21a883af..9b518a99 100644 --- a/logging/openshift/values-fluent-bit.yaml +++ b/logging/openshift/values-fluent-bit.yaml @@ -1,3 +1,4 @@ +podSecurityContext: null securityContext: privileged: true openShift: