diff --git a/charts/minecraft-bedrock/Chart.yaml b/charts/minecraft-bedrock/Chart.yaml index 42098bcb..85377062 100644 --- a/charts/minecraft-bedrock/Chart.yaml +++ b/charts/minecraft-bedrock/Chart.yaml @@ -1,21 +1,21 @@ apiVersion: v1 name: minecraft-bedrock -version: 2.0.2 +version: 2.1.0 appVersion: SeeValues home: https://minecraft.net/ description: Minecraft server keywords: -- game -- server + - game + - server sources: -- https://github.com/itzg/minecraft-server-charts + - https://github.com/itzg/minecraft-server-charts maintainers: -- name: gtaylor - email: gtaylor@gc-taylor.com -- name: billimek - email: jeff@billimek.com -- name: itzg - email: itzgeoff@gmail.com + - name: gtaylor + email: gtaylor@gc-taylor.com + - name: billimek + email: jeff@billimek.com + - name: itzg + email: itzgeoff@gmail.com annotations: artifacthub.io/links: | - name: Image source diff --git a/charts/minecraft-bedrock/templates/deployment.yaml b/charts/minecraft-bedrock/templates/deployment.yaml index c2ca110c..07d16d24 100644 --- a/charts/minecraft-bedrock/templates/deployment.yaml +++ b/charts/minecraft-bedrock/templates/deployment.yaml @@ -35,6 +35,8 @@ spec: imagePullSecrets: - name: {{ .Values.image.pullSecret }} {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- if .Values.initContainers }} initContainers: {{- toYaml .Values.initContainers | nindent 8 }} @@ -139,6 +141,8 @@ spec: protocol: UDP volumeMounts: + - name: tmp + mountPath: /tmp - name: datadir mountPath: /data {{- range .Values.extraVolumes }} @@ -146,7 +150,11 @@ spec: {{- toYaml .volumeMounts | nindent 8 }} {{- end }} {{- end }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} volumes: + - name: tmp + emptyDir: {} - name: datadir {{- if .Values.persistence.dataDir.enabled }} persistentVolumeClaim: diff --git a/charts/minecraft-bedrock/values.yaml b/charts/minecraft-bedrock/values.yaml index c2cdea90..16d70719 100644 --- a/charts/minecraft-bedrock/values.yaml +++ b/charts/minecraft-bedrock/values.yaml @@ -22,6 +22,21 @@ tolerations: [] affinity: {} +podSecurityContext: + runAsUser: 1000 + runAsGroup: 3000 + runAsNonRoot: true + fsGroup: 2000 + seccompProfile: + type: RuntimeDefault + +securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + # Most of these map to environment variables. See Minecraft for details: # https://hub.docker.com/r/itzg/minecraft-server/ livenessProbe: diff --git a/charts/minecraft-proxy/Chart.yaml b/charts/minecraft-proxy/Chart.yaml index e5b26324..627d21f0 100644 --- a/charts/minecraft-proxy/Chart.yaml +++ b/charts/minecraft-proxy/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: minecraft-proxy -version: 3.2.0 +version: 3.3.0 appVersion: SeeValues description: Minecraft proxy server (BungeeCord, Waterfall, Velocity, etc.) keywords: diff --git a/charts/minecraft-proxy/templates/deployment.yaml b/charts/minecraft-proxy/templates/deployment.yaml index a7903650..8428a286 100644 --- a/charts/minecraft-proxy/templates/deployment.yaml +++ b/charts/minecraft-proxy/templates/deployment.yaml @@ -28,8 +28,7 @@ spec: - name: {{ .Values.image.pullSecret }} {{- end }} securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - fsGroup: {{ .Values.securityContext.fsGroup }} + {{- toYaml .Values.podSecurityContext | nindent 8 }} initContainers: {{- toYaml .Values.initContainers | nindent 8 }} containers: - name: {{ template "proxy.fullname" . }} @@ -151,6 +150,8 @@ spec: {{- end }} {{- end }} volumeMounts: + - name: tmp + mountPath: /tmp - name: datadir mountPath: /server {{- if .Values.minecraftProxy.config }} @@ -163,10 +164,14 @@ spec: {{- toYaml .volumeMounts | nindent 8 }} {{- end }} {{- end }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} {{- if .Values.sidecarContainers }} {{- toYaml .Values.sidecarContainers | nindent 6 }} {{- end }} volumes: + - name: tmp + emptyDir: {} - name: datadir {{- if .Values.persistence.dataDir.enabled }} persistentVolumeClaim: diff --git a/charts/minecraft-proxy/values.yaml b/charts/minecraft-proxy/values.yaml index 2d4b1b7f..97480bd7 100644 --- a/charts/minecraft-proxy/values.yaml +++ b/charts/minecraft-proxy/values.yaml @@ -14,11 +14,21 @@ resources: memory: 512Mi cpu: 500m -securityContext: - # Security context settings +podSecurityContext: runAsUser: 1000 - runAsGroup: 1000 + runAsGroup: 3000 + runAsNonRoot: true fsGroup: 2000 + seccompProfile: + type: RuntimeDefault + +securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + # Most of these map to environment variables. See Minecraft for details: # https://hub.docker.com/r/itzg/docker-bungeecord/ livenessProbe: @@ -175,7 +185,8 @@ minecraftProxy: ## Set the externalTrafficPolicy in the Service to either Cluster or Local # externalTrafficPolicy: Cluster - extraPorts: [] + extraPorts: + [] # These options allow you to expose another port from the Minecraft proxy, plugins such # as NuVotifier (8192) will require this for incoming webhooks # diff --git a/charts/minecraft/Chart.yaml b/charts/minecraft/Chart.yaml index 268ed0e5..9fcad40d 100755 --- a/charts/minecraft/Chart.yaml +++ b/charts/minecraft/Chart.yaml @@ -1,21 +1,21 @@ apiVersion: v1 name: minecraft -version: 4.7.4 +version: 4.8.0 appVersion: SeeValues home: https://minecraft.net/ description: Minecraft server keywords: -- game -- server + - game + - server sources: -- https://github.com/itzg/minecraft-server-charts + - https://github.com/itzg/minecraft-server-charts maintainers: -- name: gtaylor - email: gtaylor@gc-taylor.com -- name: billimek - email: jeff@billimek.com -- name: itzg - email: itzgeoff@gmail.com + - name: gtaylor + email: gtaylor@gc-taylor.com + - name: billimek + email: jeff@billimek.com + - name: itzg + email: itzgeoff@gmail.com annotations: artifacthub.io/links: | - name: Image source diff --git a/charts/minecraft/templates/deployment.yaml b/charts/minecraft/templates/deployment.yaml index d26c198e..7485fa4a 100644 --- a/charts/minecraft/templates/deployment.yaml +++ b/charts/minecraft/templates/deployment.yaml @@ -47,8 +47,7 @@ spec: - name: {{ .Values.image.pullSecret }} {{- end }} securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - fsGroup: {{ .Values.securityContext.fsGroup }} + {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- if .Values.initContainers }} initContainers: {{- toYaml .Values.initContainers | nindent 8 }} @@ -119,6 +118,8 @@ spec: {{- end }} {{- end }} volumeMounts: + - name: tmp + mountPath: /tmp - name: datadir mountPath: /data readOnly: true @@ -134,6 +135,8 @@ spec: {{- end }} {{- end }} {{- end }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} - name: {{ template "minecraft.fullname" . }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} @@ -321,7 +324,7 @@ spec: {{- end }} {{- end }} {{- end }} - + {{- range $key, $value := .Values.extraEnv }} {{- if kindIs "map" $value }} @@ -357,6 +360,8 @@ spec: {{- end }} {{- end }} volumeMounts: + - name: tmp + mountPath: /tmp - name: datadir mountPath: /data {{- if (and .Values.persistence.dataDir.enabled .Values.persistence.dataDir.subPath) }} @@ -370,10 +375,14 @@ spec: {{- toYaml .volumeMounts | nindent 8 }} {{- end }} {{- end }} + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} {{- if .Values.sidecarContainers }} {{- toYaml .Values.sidecarContainers | nindent 6 }} {{- end }} volumes: + - name: tmp + emptyDir: {} - name: datadir {{- if .Values.persistence.dataDir.enabled }} persistentVolumeClaim: diff --git a/charts/minecraft/values.yaml b/charts/minecraft/values.yaml index 6f56a1f0..c4336b4e 100644 --- a/charts/minecraft/values.yaml +++ b/charts/minecraft/values.yaml @@ -27,10 +27,21 @@ tolerations: [] affinity: {} -securityContext: - # Security context settings +podSecurityContext: runAsUser: 1000 + runAsGroup: 3000 + runAsNonRoot: true fsGroup: 2000 + seccompProfile: + type: RuntimeDefault + +securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + # Most of these map to environment variables. See Minecraft for details: # https://hub.docker.com/r/itzg/minecraft-server/ livenessProbe: diff --git a/charts/rcon-web-admin/Chart.yaml b/charts/rcon-web-admin/Chart.yaml index d8882d9a..e5b83c12 100644 --- a/charts/rcon-web-admin/Chart.yaml +++ b/charts/rcon-web-admin/Chart.yaml @@ -3,7 +3,7 @@ name: rcon-web-admin home: https://github.com/rcon-web-admin/rcon-web-admin description: RCon Web UI for managing game servers type: application -version: 1.0.0 +version: 1.1.0 appVersion: "0.14.1-1" keywords: - game diff --git a/charts/rcon-web-admin/values.yaml b/charts/rcon-web-admin/values.yaml index 02a45b82..4e14c395 100644 --- a/charts/rcon-web-admin/values.yaml +++ b/charts/rcon-web-admin/values.yaml @@ -17,17 +17,19 @@ fullnameOverride: "" podAnnotations: {} podSecurityContext: - {} - # fsGroup: 2000 + runAsUser: 1000 + runAsGroup: 3000 + runAsNonRoot: true + fsGroup: 2000 + seccompProfile: + type: RuntimeDefault securityContext: - {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false # This will expose 2 different services - http and websockets # If you want to know why it's separate - ask developer of original project