Add default securityContext and the ability to configure it via Helm …

…chart (#432)
hashicorp · Jul 3, 2024 · afa52ec · afa52ec
1 parent c34abbb
commit afa52ec
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 3 deletions.
diff --git a/.changes/unreleased/ENHANCEMENTS-432-20240703-130920.yaml b/.changes/unreleased/ENHANCEMENTS-432-20240703-130920.yaml
@@ -0,0 +1,5 @@
+kind: ENHANCEMENTS
+body: '`Helm Chart`: Add the ability to configure the security context of the Deployment pod and containers.'
+time: 2024-07-03T13:09:20.971299+02:00
+custom:
+    PR: "432"
diff --git a/charts/terraform-cloud-operator/README.md b/charts/terraform-cloud-operator/README.md
@@ -149,15 +149,18 @@ For a more detailed explanation, please refer to the [FAQ](../../docs/faq.md#gen
 | kubeRbacProxy.resources.limits.memory | string | `"128Mi"` | Limits as a maximum amount of memory to be used by a container. |
 | kubeRbacProxy.resources.requests.cpu | string | `"50m"` | Guaranteed minimum amount of CPU to be used by a container. |
 | kubeRbacProxy.resources.requests.memory | string | `"64Mi"` | Guaranteed minimum amount of memory to be used by a container. |
+| kubeRbacProxy.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context. More information in [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). |
 | operator.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. |
 | operator.image.repository | string | `"hashicorp/terraform-cloud-operator"` | Image repository. |
 | operator.image.tag | string | `""` | Image tag. Defaults to `.Chart.AppVersion`. |
 | operator.resources.limits.cpu | string | `"500m"` | Limits as a maximum amount of CPU to be used by a container. |
 | operator.resources.limits.memory | string | `"128Mi"` | Limits as a maximum amount of memory to be used by a container. |
 | operator.resources.requests.cpu | string | `"50m"` | Guaranteed minimum amount of CPU to be used by a container. |
 | operator.resources.requests.memory | string | `"64Mi"` | Guaranteed minimum amount of memory to be used by a container. |
+| operator.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context. More information in [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). |
 | operator.skipTLSVerify | bool | `false` | Whether or not to ignore TLS certification warnings. |
 | operator.syncPeriod | string | `"5m"` | The minimum frequency at which watched resources are reconciled. Format: `5s`, `1m`, etc. |
 | operator.tfeAddress | string | `""` | The API URL of a Terraform Enterprise instance. |
 | operator.watchedNamespaces | list | `[]` | List of namespaces the controllers should watch. |
 | replicaCount | int | `2` | The number of Operator replicas. |
+| securityContext | object | `{"runAsNonRoot":true}` | Deployment pod security context. More information in [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). |
diff --git a/charts/terraform-cloud-operator/templates/deployment.yaml b/charts/terraform-cloud-operator/templates/deployment.yaml
@@ -70,7 +70,7 @@ spec:
           resources:
             {{- toYaml .Values.operator.resources | nindent 12 }}
           securityContext:
-            allowPrivilegeEscalation: false
+            {{- toYaml .Values.operator.securityContext | nindent 12 }}
           volumeMounts:
           {{- if .Values.customCAcertificates }}
           - name: ca-certificates
@@ -93,10 +93,10 @@ spec:
           resources:
             {{- toYaml .Values.kubeRbacProxy.resources | nindent 12 }}
           securityContext:
-            allowPrivilegeEscalation: false
+            {{- toYaml .Values.kubeRbacProxy.securityContext | nindent 12 }}
       serviceAccountName: {{ .Release.Name }}-controller-manager
       securityContext:
-        runAsNonRoot: true
+        {{- toYaml .Values.securityContext | nindent 8 }}
       terminationGracePeriodSeconds: 10
       volumes:
       - configMap:

diff --git a/charts/terraform-cloud-operator/values.yaml b/charts/terraform-cloud-operator/values.yaml
@@ -7,6 +7,10 @@ imagePullSecrets: []
 # -- The number of Operator replicas.
 replicaCount: 2
 
+# -- Deployment pod security context. More information in [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
+securityContext:
+  runAsNonRoot: true
+
 # Operator-global options.
 operator:
   image:
@@ -28,6 +32,15 @@ operator:
       # -- Guaranteed minimum amount of memory to be used by a container.
       memory: 64Mi
 
+  # -- Container security context. More information in [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+
   # -- The minimum frequency at which watched resources are reconciled. Format: `5s`, `1m`, etc.
   syncPeriod: 5m
 
@@ -49,6 +62,15 @@ kubeRbacProxy:
     # -- Image tag.
     tag: v0.18.0
 
+  # -- Container security context. More information in [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+
   resources:
     limits:
       # -- Limits as a maximum amount of CPU to be used by a container.