From e51de40a7ea744f521ff50922db4bf11ddac8a3c Mon Sep 17 00:00:00 2001 From: Gianluca755 <19376177+Gianluca755@users.noreply.github.com> Date: Fri, 23 Aug 2024 05:43:50 +0000 Subject: [PATCH 1/3] feat: make pod securitycontext configurable in helm chart --- snyk-monitor/templates/deployment.yaml | 14 +++++--------- snyk-monitor/values.yaml | 14 +++++++++++--- 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/snyk-monitor/templates/deployment.yaml b/snyk-monitor/templates/deployment.yaml index f1924632b..4d67230ec 100644 --- a/snyk-monitor/templates/deployment.yaml +++ b/snyk-monitor/templates/deployment.yaml @@ -33,9 +33,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.securityContext.fsGroup }} + {{- with .Values.podSecurityContext }} securityContext: - fsGroup: {{ int . }} + {{- toYaml . | nindent 8 }} {{- end }} affinity: nodeAffinity: @@ -250,14 +250,10 @@ spec: exec: command: - "true" + {{- with .Values.snykMonitorSecurityContext }} securityContext: - privileged: false - runAsNonRoot: true - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL + {{- toYaml . | nindent 12 }} + {{- end }} volumes: - name: docker-config secret: diff --git a/snyk-monitor/values.yaml b/snyk-monitor/values.yaml index 9c39d6ea2..52d2396c2 100644 --- a/snyk-monitor/values.yaml +++ b/snyk-monitor/values.yaml @@ -134,9 +134,17 @@ excludedNamespaces: # template: # spec: # securityContext: -# fsGroup: <-- here -securityContext: - fsGroup: +# ... <-- here +podSecurityContext: {} + +snykMonitorSecurityContext: + privileged: false + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL # Set node tolerations for snyk-monitor tolerations: [] From 4dd18a1da22d5cd31931f0120ec812f877f01f72 Mon Sep 17 00:00:00 2001 From: Gianluca755 <19376177+Gianluca755@users.noreply.github.com> Date: Tue, 1 Oct 2024 08:09:27 +0000 Subject: [PATCH 2/3] fix: include fsgroup override for backwards compatibility --- snyk-monitor/templates/deployment.yaml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/snyk-monitor/templates/deployment.yaml b/snyk-monitor/templates/deployment.yaml index 4d67230ec..25e257756 100644 --- a/snyk-monitor/templates/deployment.yaml +++ b/snyk-monitor/templates/deployment.yaml @@ -33,10 +33,19 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.podSecurityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- $fsGroupOverride := dict }} + {{- if hasKey $.Values.securityContext "fsGroup" }} + {{- $fsGroupOverride = dict "fsGroup" (int $.Values.securityContext.fsGroup) }} + {{- end }} + {{- merge $fsGroupOverride . | toYaml | nindent 8 }} + {{- else }} + {{- if .Values.securityContext.fsGroup }} + securityContext: + fsGroup: {{ int .Values.securityContext.fsGroup }} + {{- end }} + {{- end }} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: From 8dd5d6f062c0d916fe158acaf3675a5587eaab9c Mon Sep 17 00:00:00 2001 From: jonny Date: Tue, 1 Oct 2024 10:54:38 +0100 Subject: [PATCH 3/3] fix: re-introduce missing default value --- snyk-monitor/values.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/snyk-monitor/values.yaml b/snyk-monitor/values.yaml index 52d2396c2..966d4222e 100644 --- a/snyk-monitor/values.yaml +++ b/snyk-monitor/values.yaml @@ -134,6 +134,15 @@ excludedNamespaces: # template: # spec: # securityContext: +# fsGroup: <-- here +# ... <-- here +securityContext: {} + +# Allow specifying the whole object in the PodSpec securityContext: +# spec: +# template: +# spec: +# securityContext: # ... <-- here podSecurityContext: {}