diff --git a/charts/kubernetes-dashboard/.gitignore b/charts/kubernetes-dashboard/.gitignore new file mode 100644 index 00000000..58c6e7db --- /dev/null +++ b/charts/kubernetes-dashboard/.gitignore @@ -0,0 +1,13 @@ +# Ignore all files with sensitive production values +production.yaml +prod.yaml +*-prod.yaml +*-production.yaml +prod-*.yaml +production-*.yaml +aws-*.yaml +secrets/ +private/ +*.secret.yaml +values-*.yaml +!values.yaml diff --git a/charts/kubernetes-dashboard/Chart.lock b/charts/kubernetes-dashboard/Chart.lock new file mode 100644 index 00000000..14bea922 --- /dev/null +++ b/charts/kubernetes-dashboard/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: kubernetes-dashboard + repository: https://kubernetes.github.io/dashboard/ + version: 7.3.2 +digest: sha256:a19101f122b411f792a9401f167e9b0ef6fa6f1543d2f851e4107e2dd0339a2b +generated: "2026-01-26T17:51:21.6935149Z" diff --git a/charts/kubernetes-dashboard/Chart.yaml b/charts/kubernetes-dashboard/Chart.yaml new file mode 100644 index 00000000..c5cb886d --- /dev/null +++ b/charts/kubernetes-dashboard/Chart.yaml @@ -0,0 +1,28 @@ +apiVersion: v2 +appVersion: "7.3.2" +description: A Helm chart for Kubernetes Dashboard. This chart is an overlay for the official kubernetes-dashboard chart with custom resource limits configured for RADAR-K8s environments. +name: kubernetes-dashboard +version: 1.0.0 +sources: +- https://github.com/RADAR-base/radar-helm-charts/tree/main/charts/kubernetes-dashboard +- https://github.com/kubernetes/dashboard +keywords: + - kubernetes + - dashboard + - monitoring + - radar-base + - ui +annotations: + artifacthub.io/license: Apache-2.0 +deprecated: false +type: application +home: "https://github.com/kubernetes/dashboard" +maintainers: + - email: mani.thumu@kcl.ac.uk + name: Mani Thumu + - email: yatharth.ranjan@kcl.ac.uk + name: Yatharth Ranjan +dependencies: +- name: kubernetes-dashboard + repository: https://kubernetes.github.io/dashboard/ + version: 7.3.2 diff --git a/charts/kubernetes-dashboard/DOCS.md.gotmpl b/charts/kubernetes-dashboard/DOCS.md.gotmpl new file mode 100644 index 00000000..e69de29b diff --git a/charts/kubernetes-dashboard/README.md b/charts/kubernetes-dashboard/README.md new file mode 100644 index 00000000..00d8afcc --- /dev/null +++ b/charts/kubernetes-dashboard/README.md @@ -0,0 +1,78 @@ + + +# kubernetes-dashboard +[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kubernetes-dashboard)](https://artifacthub.io/packages/helm/radar-base/kubernetes-dashboard) + +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 7.3.2](https://img.shields.io/badge/AppVersion-7.3.2-informational?style=flat-square) + +A Helm chart for Kubernetes Dashboard. This chart is an overlay for the official kubernetes-dashboard chart with custom resource limits configured for RADAR-K8s environments. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mani Thumu | | | +| Yatharth Ranjan | | | + +## Source Code + +* +* + +## Prerequisites +* Kubernetes 1.28+ +* Kubectl 1.28+ +* Helm 3.1.0+ + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://kubernetes.github.io/dashboard/ | kubernetes-dashboard | 7.3.2 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| kubernetes-dashboard.auth.containers.resources.requests.cpu | string | `"10m"` | | +| kubernetes-dashboard.auth.containers.resources.requests.memory | string | `"64Mi"` | | +| kubernetes-dashboard.auth.containers.resources.limits.cpu | string | `"100m"` | | +| kubernetes-dashboard.auth.containers.resources.limits.memory | string | `"256Mi"` | | +| kubernetes-dashboard.api.containers.resources.requests.cpu | string | `"10m"` | | +| kubernetes-dashboard.api.containers.resources.requests.memory | string | `"64Mi"` | | +| kubernetes-dashboard.api.containers.resources.limits.cpu | string | `"100m"` | | +| kubernetes-dashboard.api.containers.resources.limits.memory | string | `"256Mi"` | | +| kubernetes-dashboard.web.containers.resources.requests.cpu | string | `"10m"` | | +| kubernetes-dashboard.web.containers.resources.requests.memory | string | `"64Mi"` | | +| kubernetes-dashboard.web.containers.resources.limits.cpu | string | `"100m"` | | +| kubernetes-dashboard.web.containers.resources.limits.memory | string | `"256Mi"` | | +| kubernetes-dashboard.metricsScraper.enabled | bool | `true` | | +| kubernetes-dashboard.metricsScraper.containers.resources.requests.cpu | string | `"10m"` | | +| kubernetes-dashboard.metricsScraper.containers.resources.requests.memory | string | `"64Mi"` | | +| kubernetes-dashboard.metricsScraper.containers.resources.limits.cpu | string | `"100m"` | | +| kubernetes-dashboard.metricsScraper.containers.resources.limits.memory | string | `"256Mi"` | | +| kubernetes-dashboard.kong.enabled | bool | `true` | | +| kubernetes-dashboard.kong.env.dns_order | string | `"LAST,A,CNAME,AAAA,SRV"` | | +| kubernetes-dashboard.kong.env.plugins | string | `"off"` | | +| kubernetes-dashboard.kong.env.nginx_worker_processes | int | `1` | | +| kubernetes-dashboard.kong.ingressController.enabled | bool | `false` | | +| kubernetes-dashboard.kong.dblessConfig.configMap | string | `"kong-dbless-config"` | | +| kubernetes-dashboard.kong.proxy.type | string | `"ClusterIP"` | | +| kubernetes-dashboard.kong.proxy.http.enabled | bool | `false` | | +| kubernetes-dashboard.kong.deploymentAnnotations | object | `{}` | | +| kubernetes-dashboard.kong.resources.requests.cpu | string | `"100m"` | | +| kubernetes-dashboard.kong.resources.requests.memory | string | `"181Mi"` | | +| kubernetes-dashboard.kong.resources.limits.cpu | string | `"200m"` | | +| kubernetes-dashboard.kong.resources.limits.memory | string | `"256Mi"` | | +| kubernetes-dashboard.metrics-server.enabled | bool | `false` | | +| kubernetes-dashboard.cert-manager.enabled | bool | `false` | | +| kubernetes-dashboard.nginx.enabled | bool | `false` | | +| kubernetes-dashboard.app.security.securityContext.runAsNonRoot | bool | `true` | | +| kubernetes-dashboard.app.security.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | | +| kubernetes-dashboard.app.security.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | +| kubernetes-dashboard.app.security.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | | +| kubernetes-dashboard.app.security.containerSecurityContext.runAsUser | int | `1001` | | +| kubernetes-dashboard.app.security.containerSecurityContext.runAsGroup | int | `2001` | | +| kubernetes-dashboard.app.security.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | | diff --git a/charts/kubernetes-dashboard/README.md.gotmpl b/charts/kubernetes-dashboard/README.md.gotmpl new file mode 100644 index 00000000..fab382f7 --- /dev/null +++ b/charts/kubernetes-dashboard/README.md.gotmpl @@ -0,0 +1,18 @@ +{{ template "common.header" . }} +{{ template "chart.deprecationWarning" . }} + +{{ template "chart.badgesSection" . }} + +{{ template "chart.description" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.maintainersSection" . }} + +{{ template "chart.sourcesSection" . }} + +{{ template "common.prerequisites" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} diff --git a/charts/kubernetes-dashboard/charts/kubernetes-dashboard-7.3.2.tgz b/charts/kubernetes-dashboard/charts/kubernetes-dashboard-7.3.2.tgz new file mode 100644 index 00000000..e9b0de62 Binary files /dev/null and b/charts/kubernetes-dashboard/charts/kubernetes-dashboard-7.3.2.tgz differ diff --git a/charts/kubernetes-dashboard/values.yaml b/charts/kubernetes-dashboard/values.yaml new file mode 100644 index 00000000..feb16b31 --- /dev/null +++ b/charts/kubernetes-dashboard/values.yaml @@ -0,0 +1,108 @@ +kubernetes-dashboard: + # Auth container configuration + # Current: 100m/200Mi requests, 250m/400Mi limits + # Actual usage: 1m CPU, 7Mi memory + auth: + containers: + resources: + requests: + cpu: 10m + memory: 64Mi + limits: + cpu: 100m + memory: 256Mi + + # API container configuration + # Current: 100m/200Mi requests, 250m/400Mi limits + # Actual usage: 1m CPU, 10Mi memory + api: + containers: + resources: + requests: + cpu: 10m + memory: 64Mi + limits: + cpu: 100m + memory: 256Mi + + # Web UI container configuration + # Current: 100m/200Mi requests, 250m/400Mi limits + # Actual usage: 1m CPU, 7Mi memory + web: + containers: + resources: + requests: + cpu: 10m + memory: 64Mi + limits: + cpu: 100m + memory: 256Mi + + # Metrics Scraper configuration + # Current: 100m/200Mi requests, 250m/400Mi limits + # Actual usage: 1m CPU, 14Mi memory + metricsScraper: + enabled: true + containers: + resources: + requests: + cpu: 10m + memory: 64Mi + limits: + cpu: 100m + memory: 256Mi + + # Kong gateway configuration + # Current: NO LIMITS SET (BestEffort QoS - CRITICAL ISSUE!) + # Actual usage: 2m CPU, 133Mi memory (highest memory consumer) + # This configuration adds resource limits for the first time + kong: + enabled: true + env: + dns_order: LAST,A,CNAME,AAAA,SRV + plugins: 'off' + nginx_worker_processes: 1 + ingressController: + enabled: false + dblessConfig: + configMap: kong-dbless-config + proxy: + type: ClusterIP + http: + enabled: false + # Resource limits for Kong proxy container + # Note: Kong chart uses different structure - resources at deployment level + deploymentAnnotations: {} + # Resources applied to the Kong deployment + resources: + requests: + cpu: 100m + memory: 181Mi + limits: + cpu: 200m + memory: 256Mi + + # Disable optional components (not installed in your cluster) + metrics-server: + enabled: false + + cert-manager: + enabled: false + + nginx: + enabled: false + + # Security context (keeping current secure defaults) + app: + security: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + capabilities: + drop: ["ALL"] diff --git a/devbox.json b/devbox.json index 719177fb..64f60cbe 100644 --- a/devbox.json +++ b/devbox.json @@ -4,7 +4,7 @@ "kubectl@latest", "chart-testing@latest", "pre-commit@latest", - "trivy@latest", + "trivy@0.57.1", "checkov@3.2.336", "kubernetes-helm@latest", "actionlint@latest", diff --git a/devbox.lock b/devbox.lock index 606af49c..a93dbfcc 100644 --- a/devbox.lock +++ b/devbox.lock @@ -632,51 +632,51 @@ } } }, - "trivy@latest": { - "last_modified": "2025-02-01T06:33:04Z", - "resolved": "github:NixOS/nixpkgs/047ebac174c408d6e5428b1865478893001276c5#trivy", + "trivy@0.57.1": { + "last_modified": "2024-12-03T12:40:06Z", + "resolved": "github:NixOS/nixpkgs/566e53c2ad750c84f6d31f9ccb9d00f823165550#trivy", "source": "devbox-search", - "version": "0.59.0", + "version": "0.57.1", "systems": { "aarch64-darwin": { "outputs": [ { "name": "out", - "path": "/nix/store/nqygrh6vkw2a8cj83yxwc786mcg6km6w-trivy-0.59.0", + "path": "/nix/store/rv93ihqdpksprkpp4bsbfgrg1551i5qa-trivy-0.57.1", "default": true } ], - "store_path": "/nix/store/nqygrh6vkw2a8cj83yxwc786mcg6km6w-trivy-0.59.0" + "store_path": "/nix/store/rv93ihqdpksprkpp4bsbfgrg1551i5qa-trivy-0.57.1" }, "aarch64-linux": { "outputs": [ { "name": "out", - "path": "/nix/store/2pkijvw6405qq106s0y49j8956wmikyp-trivy-0.59.0", + "path": "/nix/store/fcbxz60idc7fzqyx4svnlm2dl1bihzsh-trivy-0.57.1", "default": true } ], - "store_path": "/nix/store/2pkijvw6405qq106s0y49j8956wmikyp-trivy-0.59.0" + "store_path": "/nix/store/fcbxz60idc7fzqyx4svnlm2dl1bihzsh-trivy-0.57.1" }, "x86_64-darwin": { "outputs": [ { "name": "out", - "path": "/nix/store/6cfkq5apf2nzq229gjr6y6vn40f5nv3b-trivy-0.59.0", + "path": "/nix/store/517pgmyj9r1bsggcd7wcf64gryw2i0na-trivy-0.57.1", "default": true } ], - "store_path": "/nix/store/6cfkq5apf2nzq229gjr6y6vn40f5nv3b-trivy-0.59.0" + "store_path": "/nix/store/517pgmyj9r1bsggcd7wcf64gryw2i0na-trivy-0.57.1" }, "x86_64-linux": { "outputs": [ { "name": "out", - "path": "/nix/store/r3dqya9whwij5wmvzr12hphvq4vvqsch-trivy-0.59.0", + "path": "/nix/store/5js971jz5jxfjrnlik7qh03bxclralzk-trivy-0.57.1", "default": true } ], - "store_path": "/nix/store/r3dqya9whwij5wmvzr12hphvq4vvqsch-trivy-0.59.0" + "store_path": "/nix/store/5js971jz5jxfjrnlik7qh03bxclralzk-trivy-0.57.1" } } },