add support for security context (#113)

Co-authored-by: Andreas de Crinis <andreas.decrinis@avl.com>
jmcgrath207 · Aug 9, 2024 · 656777a · 656777a
1 parent 6173997
commit 656777a
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 0 deletions.
diff --git a/chart/README.md b/chart/README.md
@@ -44,6 +44,8 @@ helm upgrade --install my-deployment k8s-ephemeral-storage-metrics/k8s-ephemeral
 | serviceMonitor.relabelings | list | `[]` | Set relabelings as per https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.RelabelConfig |
 | serviceMonitor.targetLabels | list | `[]` | Set targetLabels as per https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitorSpec |
 | tolerations | list | `[]` |  |
+| podSecurityContext                       | Pod security context                                                                                                |`"runAsNonRoot:" "true", "seccompProfile:" "{type: RuntimeDefault}"`|
+| containerSecurityContext | Container security context |`"allowPrivilegeEscalation:" "false", "capabilities:" "drop:" "ALL", "privileged:" "false", "readOnlyRootFilesystem:" "false", "runAsNonRoot:" "true"`|
 
 ## Prometheus alert rules
 

diff --git a/chart/templates/DeployType.yaml b/chart/templates/DeployType.yaml
@@ -34,6 +34,10 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: metrics
           image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
@@ -73,6 +77,10 @@ spec:
             periodSeconds: 10
             successThreshold: 1
             timeoutSeconds: 1
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           env:
             - name: DEPLOY_TYPE
               value: "{{ .Values.deploy_type }}"

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -81,3 +81,23 @@ nodeSelector: {}
 affinity: {}
 
 tolerations: []
+
+# Pod Security Context
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+podSecurityContext:
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+
+# Container Security Context to be set on the controller component container
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+  privileged: false
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true