Description
On December 10th, 2024, we released a minor version for every Helm chart in the Bitnami catalog. This minor version introduced a new security mechanism to detect the usage of non-standard containers while installing or upgrading Helm chart releases.
Replacing the original containers that are shipped with the charts will result in installation errors like the one below:
⚠ ERROR: Original containers have been substituted for unrecognized ones. Deploying this chart with non-standard containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.
Unrecognized images:
- [REGISTRY]/[REPOSITORY]:[TAG]
(...)
FAQ
Why did Bitnami introduce this mechanism?
There are several reasons to introduce this change:
- Bitnami charts are designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Therefore, Bitnami cannot guarantee the same quality standards levels when the original container images are replaced.
- Non-standard container images are likely to cause degraded security and performance, broken chart features, and missing environment variables.
- Incapacity to provide efficient support for non-standard container images given the Bitnami support team's limited bandwidth.
Can I use different image tags?
Yes, replacing default image tags is considered a valid use case. For instance, a user might be interested in using the Bitnami PostgreSQL chart using Bitnami PostgreSQL 15.x container images (note the chart uses 16.x images by default).
That said, it is expected that you see some warnings on the chart notes given that the specific chart & image combination wasn't tested and validated by Bitnami on any platform.
Can I skip the security verification?
Yes, we introduced a new global parameter on every chart that can be used for that purpose, see:
| Name | Description | Value |
|---|---|---|
| global.security.allowInsecureImages | By default, this chart verifies that the original container images that were designed, tested, and validated are used. This option makes the chart skip the verification step and proceed. | false |
At your own risk, you bypass the verification specifying the parameter adding the --set global.security.allowInsecureImages=true argument to helm install or helm upgrade commands or, alternatively, adding the block below to your values YAML file:
global:
security:
allowInsecureImages: trueShould I expect any issues upgrading my existing chart releases?
No issue is expected if you upgrade your existing releases using original container images. If you replace them, you'll have to skip the security verification.
Should I expect errors consuming Bitnami charts from mirror registries?
Yes. It is expected that you face installation errors while consuming Bitnami chart from mirror registries given the security mechanism will detect original images are not used. To continue using mirror registries, you'll have to skip the security verification.
I built my custom image extending a Bitnami container image, should I expect errors?
Yes. Custom images, even if they're extensions of original Bitnami container images, would be detected by the security mechanism and it is expected to face installation errors. To use your custom image, you'll have to skip the security verification at your own risk.