From ce4d542f91ee1dd8e77c8409ea04742c59cc6949 Mon Sep 17 00:00:00 2001
From: Arnab Maji <arnabmaji1999@gmail.com>
Date: Thu, 25 Jun 2026 14:32:44 +0530
Subject: [PATCH] feat(helm): make pod and container securityContext
 configurable via values

Add podSecurityContext and containerSecurityContext value overrides to

manager.yaml. When set, they replace the default hardcoded security

context blocks. When empty (default), existing behavior is preserved:

- Pod: runAsNonRoot: true + securityContext.seccompProfile.enabled toggle

- Container: allowPrivilegeEscalation: false + capabilities.drop: ALL

This is a non-breaking, additive change. The existing

securityContext.seccompProfile.enabled value continues to work as before.

Users who need stricter policies (Kyverno, OPA, PSS restricted) can now

set the new values without vendoring the chart.
---
 .../templates/manager.yaml                    | 15 ++++++++++
 helm/temporal-worker-controller/values.yaml   | 30 ++++++++++++++++++-
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/helm/temporal-worker-controller/templates/manager.yaml b/helm/temporal-worker-controller/templates/manager.yaml
index a6e66c82..a1d3962e 100644
--- a/helm/temporal-worker-controller/templates/manager.yaml
+++ b/helm/temporal-worker-controller/templates/manager.yaml
@@ -49,12 +49,17 @@ spec:
 {{ include "temporal-worker-controller.selectorLabels" . | nindent 20 }}
                 topologyKey: kubernetes.io/hostname
       {{- end }}
+      {{- if .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- else }}
       securityContext:
         runAsNonRoot: true
         {{- if .Values.securityContext.seccompProfile.enabled }}
         seccompProfile:
           type: RuntimeDefault
         {{- end }}
+      {{- end }}
       {{- with .Values.image.pullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -116,11 +121,16 @@ spec:
           - mountPath: {{ .Values.webhook.certDir }}
             name: cert
             readOnly: true
+        {{- if .Values.containerSecurityContext }}
+        securityContext:
+          {{- toYaml .Values.containerSecurityContext | nindent 10 }}
+        {{- else }}
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
               - "ALL"
+        {{- end }}
         livenessProbe:
           httpGet:
             path: /healthz
@@ -137,11 +147,16 @@ spec:
           {{- toYaml .Values.resources | nindent 10 }}
       {{- if not .Values.metrics.disableAuth }}
       - name: kube-rbac-proxy
+        {{- if .Values.containerSecurityContext }}
+        securityContext:
+          {{- toYaml .Values.containerSecurityContext | nindent 10 }}
+        {{- else }}
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
               - "ALL"
+        {{- end }}
         image: registry.k8s.io/kubebuilder/kube-rbac-proxy:v0.14.1
         args:
           - "--secure-listen-address=0.0.0.0:8443"
diff --git a/helm/temporal-worker-controller/values.yaml b/helm/temporal-worker-controller/values.yaml
index 22466977..081e724d 100644
--- a/helm/temporal-worker-controller/values.yaml
+++ b/helm/temporal-worker-controller/values.yaml
@@ -49,7 +49,7 @@ serviceAccount:
   name:
 
 # For common cases that do not require escalating privileges it is recommended to ensure that
-#  all your Pods/Containers are restrictive.
+# all your Pods/Containers are restrictive.
 # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
 # Please enable the following if your project does NOT have to work on old Kubernetes versions < 1.19
 # or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
@@ -57,6 +57,34 @@ securityContext:
   seccompProfile:
     enabled: false
 
+# podSecurityContext overrides the default pod-level securityContext entirely when set.
+# If empty (default), the chart uses the legacy behavior above (runAsNonRoot: true +
+# optional seccompProfile toggle).
+# Example for restricted Pod Security Standards / Kyverno compliance:
+#   podSecurityContext:
+#     runAsNonRoot: true
+#     runAsUser: 65532
+#     runAsGroup: 65532
+#     fsGroup: 65532
+#     seccompProfile:
+#       type: RuntimeDefault
+podSecurityContext: {}
+
+# containerSecurityContext overrides the default container-level securityContext for both
+# the manager and kube-rbac-proxy containers when set. If empty (default), the chart uses
+# the legacy behavior (allowPrivilegeEscalation: false + capabilities.drop: ALL).
+# Example for restricted Pod Security Standards / Kyverno compliance:
+#   containerSecurityContext:
+#     allowPrivilegeEscalation: false
+#     readOnlyRootFilesystem: true
+#     runAsGroup: 65532
+#     seccompProfile:
+#       type: RuntimeDefault
+#     capabilities:
+#       drop:
+#         - "ALL"
+containerSecurityContext: {}
+
 # Default podAntiAffinity uses preferredDuringSchedulingIgnoredDuringExecution to spread manager
 # pods across nodes. For strict HA, switch to requiredDuringSchedulingIgnoredDuringExecution.
 affinity: {}