From 1aec4740d3ece61a58390113415f8dd8f6571115 Mon Sep 17 00:00:00 2001 From: robot Date: Wed, 20 Nov 2024 20:11:32 +0000 Subject: [PATCH] robot: project vpa chart upgrades from 4.5.0 to 4.7.1 Signed-off-by: robot --- charts/vpa/config | 2 +- charts/vpa/vpa/Chart.yaml | 4 +- charts/vpa/vpa/README.md | 4 +- charts/vpa/vpa/charts/vpa/Chart.yaml | 2 +- charts/vpa/vpa/charts/vpa/README.md | 4 +- .../vpa/vpa/charts/vpa/crds/vpa-v1-crd.yaml | 12 +++--- .../vpa/templates/recommender-deployment.yaml | 2 +- charts/vpa/vpa/charts/vpa/values.yaml | 15 +++++-- charts/vpa/vpa/values.schema.json | 39 ++++++++++++++++++- charts/vpa/vpa/values.yaml | 15 +++++-- 10 files changed, 77 insertions(+), 22 deletions(-) diff --git a/charts/vpa/config b/charts/vpa/config index 50012aa16..5dadd2d7e 100644 --- a/charts/vpa/config +++ b/charts/vpa/config @@ -4,7 +4,7 @@ export USE_OPENSOURCE_CHART=false export REPO_URL=https://charts.fairwinds.com/stable export REPO_NAME=fairwinds-stable export CHART_NAME=vpa -export VERSION=4.5.0 +export VERSION=4.7.1 # pr, issue, none export UPGRADE_METHOD=pr diff --git a/charts/vpa/vpa/Chart.yaml b/charts/vpa/vpa/Chart.yaml index 51cb351de..6a4a4cd5c 100644 --- a/charts/vpa/vpa/Chart.yaml +++ b/charts/vpa/vpa/Chart.yaml @@ -10,10 +10,10 @@ sources: - https://github.com/FairwindsOps/charts/tree/master/stable/vpa - https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler type: application -version: 4.5.0 +version: 4.7.1 dependencies: - name: vpa - version: "4.5.0" + version: "4.7.1" repository: "https://charts.fairwinds.com/stable" annotations: addon.kpanda.io/namespace: kube-system diff --git a/charts/vpa/vpa/README.md b/charts/vpa/vpa/README.md index 7be7ee285..23c030b2c 100644 --- a/charts/vpa/vpa/README.md +++ b/charts/vpa/vpa/README.md @@ -202,8 +202,8 @@ recommender: | admissionController.certGen.image.pullPolicy | string | `"Always"` | The pull policy for the certgen image. Recommend not changing this | | admissionController.certGen.env | object | `{}` | Additional environment variables to be added to the certgen container. Format is KEY: Value format | | admissionController.certGen.resources | object | `{}` | The resources block for the certgen pod | -| admissionController.certGen.securityContext | object | `{}` | The securityContext block for the certgen container(s) | -| admissionController.certGen.podSecurityContext | object | `{}` | The securityContext block for the certgen pod(s) | +| admissionController.certGen.podSecurityContext | object | `{"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | The securityContext block for the certgen pod(s) | +| admissionController.certGen.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | The securityContext block for the certgen container(s) | | admissionController.certGen.nodeSelector | object | `{}` | | | admissionController.certGen.tolerations | list | `[]` | | | admissionController.certGen.affinity | object | `{}` | | diff --git a/charts/vpa/vpa/charts/vpa/Chart.yaml b/charts/vpa/vpa/charts/vpa/Chart.yaml index 2cb41f329..a5af98bfa 100644 --- a/charts/vpa/vpa/charts/vpa/Chart.yaml +++ b/charts/vpa/vpa/charts/vpa/Chart.yaml @@ -16,4 +16,4 @@ sources: - https://github.com/FairwindsOps/charts/tree/master/stable/vpa - https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler type: application -version: 4.5.0 +version: 4.7.1 diff --git a/charts/vpa/vpa/charts/vpa/README.md b/charts/vpa/vpa/charts/vpa/README.md index 7be7ee285..23c030b2c 100644 --- a/charts/vpa/vpa/charts/vpa/README.md +++ b/charts/vpa/vpa/charts/vpa/README.md @@ -202,8 +202,8 @@ recommender: | admissionController.certGen.image.pullPolicy | string | `"Always"` | The pull policy for the certgen image. Recommend not changing this | | admissionController.certGen.env | object | `{}` | Additional environment variables to be added to the certgen container. Format is KEY: Value format | | admissionController.certGen.resources | object | `{}` | The resources block for the certgen pod | -| admissionController.certGen.securityContext | object | `{}` | The securityContext block for the certgen container(s) | -| admissionController.certGen.podSecurityContext | object | `{}` | The securityContext block for the certgen pod(s) | +| admissionController.certGen.podSecurityContext | object | `{"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | The securityContext block for the certgen pod(s) | +| admissionController.certGen.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | The securityContext block for the certgen container(s) | | admissionController.certGen.nodeSelector | object | `{}` | | | admissionController.certGen.tolerations | list | `[]` | | | admissionController.certGen.affinity | object | `{}` | | diff --git a/charts/vpa/vpa/charts/vpa/crds/vpa-v1-crd.yaml b/charts/vpa/vpa/charts/vpa/crds/vpa-v1-crd.yaml index 93092ee1e..3811ca72b 100644 --- a/charts/vpa/vpa/charts/vpa/crds/vpa-v1-crd.yaml +++ b/charts/vpa/vpa/charts/vpa/crds/vpa-v1-crd.yaml @@ -283,9 +283,11 @@ spec: resourcePolicy: description: Controls how the autoscaler computes recommended resources. The resource policy may be used to set constraints on the recommendations - for individual containers. If not specified, the autoscaler computes - recommended resources for all containers in the pod, without additional - constraints. + for individual containers. If any individual containers need to + be excluded from getting the VPA recommendations, then it must be + disabled explicitly by setting mode to "Off" under containerPolicies. + If not specified, the autoscaler computes recommended resources + for all containers in the pod, without additional constraints. properties: containerPolicies: description: Per-container resource policies. @@ -397,7 +399,7 @@ spec: - TargetHigherThanRequests - TargetLowerThanRequests type: string - resource: + resources: description: Resources is a list of one or more resources that the condition applies to. If more than one resource is given, the EvictionRequirement is fulfilled if at least @@ -409,7 +411,7 @@ spec: type: array required: - changeRequirement - - resource + - resources type: object type: array minReplicas: diff --git a/charts/vpa/vpa/charts/vpa/templates/recommender-deployment.yaml b/charts/vpa/vpa/charts/vpa/templates/recommender-deployment.yaml index 213d50d89..8f35bc018 100644 --- a/charts/vpa/vpa/charts/vpa/templates/recommender-deployment.yaml +++ b/charts/vpa/vpa/charts/vpa/templates/recommender-deployment.yaml @@ -68,7 +68,7 @@ spec: {{- $insightsRecommenderArgs := index $extraArgs "use-insights-recommender" | default dict }} {{- if or .Values.recommender.envFromSecret $insightsRecommenderArgs }} envFrom: - {{- if $insightsRecommenderArgs }} + {{- if and (not .Values.recommender.envFromSecret) $insightsRecommenderArgs }} - secretRef: name: {{ .Release.Name }}-token {{- end }} diff --git a/charts/vpa/vpa/charts/vpa/values.yaml b/charts/vpa/vpa/charts/vpa/values.yaml index 9b1f05320..a6c4873e3 100644 --- a/charts/vpa/vpa/charts/vpa/values.yaml +++ b/charts/vpa/vpa/charts/vpa/values.yaml @@ -221,10 +221,19 @@ admissionController: env: {} # admissionController.certGen.resources -- The resources block for the certgen pod resources: {} - # admissionController.certGen.securityContext -- The securityContext block for the certgen container(s) - securityContext: {} # admissionController.certGen.podSecurityContext -- The securityContext block for the certgen pod(s) - podSecurityContext: {} + podSecurityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + # admissionController.certGen.securityContext -- The securityContext block for the certgen container(s) + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL nodeSelector: {} tolerations: [] affinity: {} diff --git a/charts/vpa/vpa/values.schema.json b/charts/vpa/vpa/values.schema.json index dcdd59d4e..12070bbd5 100644 --- a/charts/vpa/vpa/values.schema.json +++ b/charts/vpa/vpa/values.schema.json @@ -41,13 +41,48 @@ "type": "object" }, "podSecurityContext": { - "type": "object" + "type": "object", + "properties": { + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } + } + } }, "resources": { "type": "object" }, "securityContext": { - "type": "object" + "type": "object", + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "readOnlyRootFilesystem": { + "type": "boolean" + } + } }, "tolerations": { "type": "array" diff --git a/charts/vpa/vpa/values.yaml b/charts/vpa/vpa/values.yaml index f1f29b587..43c7d3777 100644 --- a/charts/vpa/vpa/values.yaml +++ b/charts/vpa/vpa/values.yaml @@ -224,10 +224,19 @@ vpa: env: {} # admissionController.certGen.resources -- The resources block for the certgen pod resources: {} - # admissionController.certGen.securityContext -- The securityContext block for the certgen container(s) - securityContext: {} # admissionController.certGen.podSecurityContext -- The securityContext block for the certgen pod(s) - podSecurityContext: {} + podSecurityContext: + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + # admissionController.certGen.securityContext -- The securityContext block for the certgen container(s) + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL nodeSelector: {} tolerations: [] affinity: {}