Add security context to moon containers.

aerokube · Jul 23, 2024 · 13f74a9 · 13f74a9
1 parent adc72df
commit 13f74a9
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 0 deletions.
diff --git a/moon2/templates/deployment.yaml b/moon2/templates/deployment.yaml
@@ -107,6 +107,12 @@ spec:
               {{- else -}}
               {{- $def -}}
               {{- end }}
+        {{- if .Values.deployment -}}
+        {{- with .Values.deployment.containerSecurityContext }}
+        securityContext:
+          {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- end }}
         ports:
         - containerPort: 4545
         volumeMounts:
@@ -165,6 +171,12 @@ spec:
               {{- else -}}
               {{- $def -}}
               {{- end }}
+        {{- if .Values.deployment -}}
+        {{- with .Values.deployment.containerSecurityContext }}
+        securityContext:
+          {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- end }}
         ports:
         - containerPort: 4444
       - name: moon-conf
@@ -202,6 +214,12 @@ spec:
               {{- else -}}
               {{- $def -}}
               {{- end }}
+        {{- if .Values.deployment -}}
+        {{- with .Values.deployment.containerSecurityContext }}
+        securityContext:
+          {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- end }}
       {{- if $basicAuth }}
       {{- if not (eq $basicAuth "kubernetes") }}
       - name: moon-ui-basic-auth
@@ -244,6 +262,12 @@ spec:
               {{- else -}}
               {{- $def -}}
               {{- end }}
+        {{- if .Values.deployment -}}
+        {{- with .Values.deployment.containerSecurityContext }}
+        securityContext:
+          {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- end }}
         ports:
         - containerPort: 8181
         volumeMounts:
@@ -294,6 +318,12 @@ spec:
               {{- else -}}
               {{- $def -}}
               {{- end }}
+        {{- if .Values.deployment -}}
+        {{- with .Values.deployment.containerSecurityContext }}
+        securityContext:
+          {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- end }}
         ports:
         - containerPort: 9191
         volumeMounts:
@@ -339,6 +369,12 @@ spec:
               {{- else -}}
               {{- $def -}}
               {{- end }}
+        {{- if .Values.deployment -}}
+        {{- with .Values.deployment.containerSecurityContext }}
+        securityContext:
+          {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- end }}
         ports:
         - containerPort: 9090
       {{- end }}
@@ -380,6 +416,12 @@ spec:
               {{- else -}}
               {{- $def -}}
               {{- end }}
+        {{- if .Values.deployment -}}
+        {{- with .Values.deployment.containerSecurityContext }}
+        securityContext:
+          {{ toYaml . | nindent 10 }}
+        {{- end }}
+        {{- end }}
         ports:
         - containerPort: 8080
       volumes:

diff --git a/moon2/values.yaml b/moon2/values.yaml
@@ -296,6 +296,21 @@ deployment:
   securityContext: {}
   #  runAsUser: 1000
 
+  ##
+  ## Security context for containers running in Moon pod.
+  ##
+  containerSecurityContext: {}
+  #  allowPrivilegeEscalation: false
+  #  capabilities:
+  #    drop:
+  #    - ALL
+  #    privileged: false
+  #    runAsGroup: 1000
+  #    runAsNonRoot: true
+  #    runAsUser: 1000
+  #    seccompProfile:
+  #      type: RuntimeDefault
+
   ##
   ## Optional fields that specifies the maximum number of pods that can be created over the desired number of pods
   ## and that can be unavailable during the update. You can use both int and percent values.