diff --git a/helm/temporal-worker-controller/templates/manager.yaml b/helm/temporal-worker-controller/templates/manager.yaml index a6e66c82..a1d3962e 100644 --- a/helm/temporal-worker-controller/templates/manager.yaml +++ b/helm/temporal-worker-controller/templates/manager.yaml @@ -49,12 +49,17 @@ spec: {{ include "temporal-worker-controller.selectorLabels" . | nindent 20 }} topologyKey: kubernetes.io/hostname {{- end }} + {{- if .Values.podSecurityContext }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- else }} securityContext: runAsNonRoot: true {{- if .Values.securityContext.seccompProfile.enabled }} seccompProfile: type: RuntimeDefault {{- end }} + {{- end }} {{- with .Values.image.pullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -116,11 +121,16 @@ spec: - mountPath: {{ .Values.webhook.certDir }} name: cert readOnly: true + {{- if .Values.containerSecurityContext }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 10 }} + {{- else }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" + {{- end }} livenessProbe: httpGet: path: /healthz @@ -137,11 +147,16 @@ spec: {{- toYaml .Values.resources | nindent 10 }} {{- if not .Values.metrics.disableAuth }} - name: kube-rbac-proxy + {{- if .Values.containerSecurityContext }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 10 }} + {{- else }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - "ALL" + {{- end }} image: registry.k8s.io/kubebuilder/kube-rbac-proxy:v0.14.1 args: - "--secure-listen-address=0.0.0.0:8443" diff --git a/helm/temporal-worker-controller/values.yaml b/helm/temporal-worker-controller/values.yaml index 22466977..081e724d 100644 --- a/helm/temporal-worker-controller/values.yaml +++ b/helm/temporal-worker-controller/values.yaml @@ -49,7 +49,7 @@ serviceAccount: name: # For common cases that do not require escalating privileges it is recommended to ensure that -# all your Pods/Containers are restrictive. +# all your Pods/Containers are restrictive. # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted # Please enable the following if your project does NOT have to work on old Kubernetes versions < 1.19 # or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). @@ -57,6 +57,34 @@ securityContext: seccompProfile: enabled: false +# podSecurityContext overrides the default pod-level securityContext entirely when set. +# If empty (default), the chart uses the legacy behavior above (runAsNonRoot: true + +# optional seccompProfile toggle). +# Example for restricted Pod Security Standards / Kyverno compliance: +# podSecurityContext: +# runAsNonRoot: true +# runAsUser: 65532 +# runAsGroup: 65532 +# fsGroup: 65532 +# seccompProfile: +# type: RuntimeDefault +podSecurityContext: {} + +# containerSecurityContext overrides the default container-level securityContext for both +# the manager and kube-rbac-proxy containers when set. If empty (default), the chart uses +# the legacy behavior (allowPrivilegeEscalation: false + capabilities.drop: ALL). +# Example for restricted Pod Security Standards / Kyverno compliance: +# containerSecurityContext: +# allowPrivilegeEscalation: false +# readOnlyRootFilesystem: true +# runAsGroup: 65532 +# seccompProfile: +# type: RuntimeDefault +# capabilities: +# drop: +# - "ALL" +containerSecurityContext: {} + # Default podAntiAffinity uses preferredDuringSchedulingIgnoredDuringExecution to spread manager # pods across nodes. For strict HA, switch to requiredDuringSchedulingIgnoredDuringExecution. affinity: {}