feat(helm): make pod and container securityContext configurable via values#404
Open
arnabmaji wants to merge 1 commit into
Open
feat(helm): make pod and container securityContext configurable via values#404arnabmaji wants to merge 1 commit into
arnabmaji wants to merge 1 commit into
Conversation
|
|
…alues Add podSecurityContext and containerSecurityContext value overrides to manager.yaml. When set, they replace the default hardcoded security context blocks. When empty (default), existing behavior is preserved: - Pod: runAsNonRoot: true + securityContext.seccompProfile.enabled toggle - Container: allowPrivilegeEscalation: false + capabilities.drop: ALL This is a non-breaking, additive change. The existing securityContext.seccompProfile.enabled value continues to work as before. Users who need stricter policies (Kyverno, OPA, PSS restricted) can now set the new values without vendoring the chart.
arnabmaji
force-pushed
the
feat/configurable-security-context
branch
from
6fb58b4 to
ce4d542
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add optional
podSecurityContextandcontainerSecurityContextvalue overrides tomanager.yaml, allowing users to fully customize security settings without vendoring the chart.This is a non-breaking, additive change. Existing
securityContext.seccompProfile.enabledbehavior is preserved unchanged.Problem
The current chart hardcodes:
runAsNonRoot: true+ optionalseccompProfiletoggle (boolean)allowPrivilegeEscalation: false+capabilities.drop: ALLThis makes it impossible to satisfy common security policies (Kyverno, OPA Gatekeeper, Pod Security Standards
restrictedprofile) that additionally require:readOnlyRootFilesystem: truerunAsUser/runAsGroup/fsGroupseccompProfileUsers are forced to either create policy exceptions or vendor the chart locally to patch the templates.
Solution
Add two new optional values that override the defaults when set:
podSecurityContext: {}— when non-empty, replaces the default pod securityContext block entirelycontainerSecurityContext: {}— when non-empty, replaces the default container securityContext block for bothmanagerandkube-rbac-proxyWhen empty (the default), existing behavior is preserved exactly as-is, including the
securityContext.seccompProfile.enabledtoggle.Template logic:
Example usage (satisfies Kyverno/PSS restricted):
Backwards Compatibility
securityContext.seccompProfile.enabled: truepodSecurityContextsetcontainerSecurityContextsetFiles Changed
helm/temporal-worker-controller/templates/manager.yaml— conditional template logichelm/temporal-worker-controller/values.yaml— new optional values with documented examples