Update Helm release grafana to v12.3.3

[renovate]

This PR contains the following updates:

Package	Update	Change	Pending
grafana (source)	patch	12.3.0 → 12.3.3	12.4.2 (+2)

---

Release Notes

grafana-community/helm-charts (grafana)

v12.3.3

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] Add support for setting dnsPolicy / dnsConfig to the image renderer by @​andrew-marwood in #​496

New Contributors

• @​andrew-marwood made their first contribution in #​496

Full Changelog: grafana-community/helm-charts@loki-14.2.0...grafana-12.3.3

v12.3.2

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] Update docker.io/grafana/grafana Docker tag to v13.0.1-security-01 by @​odev-swe in #​489

New Contributors

• @​odev-swe made their first contribution in #​489

Full Changelog: grafana-community/helm-charts@loki-13.7.2...grafana-12.3.2

v12.3.1

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] Update quay.io/kiwigrid/k8s-sidecar Docker tag to v2.7.3 by @​renovate[bot] in #​477

Full Changelog: grafana-community/helm-charts@loki-13.6.2...grafana-12.3.1

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • "after 2am and before 8am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

grafana (helm) 12.3.0 -> 12.3.3, docker.io/grafana/grafana (docker) 13.0.1 -> 13.0.1-security-01

Risk: 🟢 Safe

The Deep Dive

Update Scope

kubernetes/grafana/Chart.yaml updates the grafana Helm dependency from 12.3.0 to 12.3.3. The rendered Grafana Deployment moves docker.io/grafana/grafana from 13.0.1 to 13.0.1-security-01, while the busybox:1.37.0 init image remains unchanged. There is no Kustomize image override in kustomization.yaml, so the rendered Grafana image change is what will deploy. Upstream sidecar and image-renderer changes from grafana-12.3.1 and grafana-12.3.3 are not active here because the rendered Deployment has only the Grafana container plus init-chown-data, with no sidecar or image-renderer resources.

Security

• CVE-2026-28376 (CVSS 6.5) and CVE-2026-28379 (CVSS 6.5): 13.0.1-security-01 fixes authenticated Grafana Live denial-of-service paths. This deployment exposes Grafana through an Ingress and maps signed-in OIDC users to Viewer by default in grafana.ini, so authenticated Viewer paths are deployment-relevant.
• CVE-2026-28383 (CVSS 6.5): 13.0.1-security-01 fixes an authenticated plugin-resource request OOM path. The deployment runs the standard Grafana server with the normal plugin path configured and is reachable after OIDC login.

Newer Versions

• grafana-12.4.2 is newer than this PR and grafana-community/helm-charts PR 536 adds DAC_OVERRIDE to init-chown-data so restricted persisted directories can be traversed during chown -R. This deployment has persistence enabled, and the proposed rendered init container still adds only CHOWN. This is a useful follow-up, but it is not introduced by this PR because origin/main already had the same CHOWN-only init container.
• No newer Grafana application release was found beyond v13.0.1+security-01, and no newer chart release was found that fixes a regression introduced specifically by grafana-12.3.3.

Hazards & Risks

None identified. The only Kubernetes object removals are an empty Role and a RoleBinding bound to that empty Role; the proposed Kustomize resource list keeps the service account, cluster role/binding, service, deployment, ingress, and PVC.

Sources

• grafana-community/helm-charts grafana-12.3.1 release
• grafana-community/helm-charts grafana-12.3.2 release
• grafana-community/helm-charts grafana-12.3.3 release
• Grafana v13.0.1+security-01 release
• Grafana CVE-2026-28376 advisory
• Grafana CVE-2026-28379 advisory
• Grafana CVE-2026-28383 advisory
• grafana-community/helm-charts grafana-12.4.2 release
• grafana-community/helm-charts PR 536

---

🟢 Verdict: Safe

Merge is reasonable: this PR deploys Grafana's security image and removes only empty RBAC objects, with no active sidecar or renderer behavior change in this deployment. Let Renovate follow with the newer 12.4.x chart for the persistence init-container improvement, but this PR does not introduce that issue.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.