feat(helm): make pod and container securityContext configurable via values

helm/temporal-worker-controller/templates/manager.yaml

@@ -49,12 +49,17 @@ spec:
 {{ include "temporal-worker-controller.selectorLabels" . | nindent 20 }}
                 topologyKey: kubernetes.io/hostname
       {{- end }}
+      {{- if .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- else }}
       securityContext:
         runAsNonRoot: true
         {{- if .Values.securityContext.seccompProfile.enabled }}
         seccompProfile:
           type: RuntimeDefault
         {{- end }}
+      {{- end }}
       {{- with .Values.image.pullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -116,11 +121,16 @@ spec:
           - mountPath: {{ .Values.webhook.certDir }}
             name: cert
             readOnly: true
+        {{- if .Values.containerSecurityContext }}
+        securityContext:
+          {{- toYaml .Values.containerSecurityContext | nindent 10 }}
+        {{- else }}
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
               - "ALL"
+        {{- end }}
         livenessProbe:
           httpGet:
             path: /healthz
@@ -137,11 +147,16 @@ spec:
           {{- toYaml .Values.resources | nindent 10 }}
       {{- if not .Values.metrics.disableAuth }}
       - name: kube-rbac-proxy
+        {{- if .Values.containerSecurityContext }}
+        securityContext:
+          {{- toYaml .Values.containerSecurityContext | nindent 10 }}
+        {{- else }}
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
               - "ALL"
+        {{- end }}
         image: registry.k8s.io/kubebuilder/kube-rbac-proxy:v0.14.1
         args:
           - "--secure-listen-address=0.0.0.0:8443"

helm/temporal-worker-controller/values.yaml

@@ -49,14 +49,42 @@ serviceAccount:
   name:
 
 # For common cases that do not require escalating privileges it is recommended to ensure that
-#  all your Pods/Containers are restrictive.
+# all your Pods/Containers are restrictive.
 # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
 # Please enable the following if your project does NOT have to work on old Kubernetes versions < 1.19
 # or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
 securityContext:
   seccompProfile:
     enabled: false
 
+# podSecurityContext overrides the default pod-level securityContext entirely when set.
+# If empty (default), the chart uses the legacy behavior above (runAsNonRoot: true +
+# optional seccompProfile toggle).
+# Example for restricted Pod Security Standards / Kyverno compliance:
+#   podSecurityContext:
+#     runAsNonRoot: true
+#     runAsUser: 65532
+#     runAsGroup: 65532
+#     fsGroup: 65532
+#     seccompProfile:
+#       type: RuntimeDefault
+podSecurityContext: {}
+
+# containerSecurityContext overrides the default container-level securityContext for both
+# the manager and kube-rbac-proxy containers when set. If empty (default), the chart uses
+# the legacy behavior (allowPrivilegeEscalation: false + capabilities.drop: ALL).
+# Example for restricted Pod Security Standards / Kyverno compliance:
+#   containerSecurityContext:
+#     allowPrivilegeEscalation: false
+#     readOnlyRootFilesystem: true
+#     runAsGroup: 65532
+#     seccompProfile:
+#       type: RuntimeDefault
+#     capabilities:
+#       drop:
+#         - "ALL"
+containerSecurityContext: {}
+
 # Default podAntiAffinity uses preferredDuringSchedulingIgnoredDuringExecution to spread manager
 # pods across nodes. For strict HA, switch to requiredDuringSchedulingIgnoredDuringExecution.
 affinity: {}