From 13f74a9cd1ca2caa806193b855e985e9ccedccab Mon Sep 17 00:00:00 2001 From: Alexander Andryashin Date: Tue, 23 Jul 2024 15:53:26 +0300 Subject: [PATCH] Add security context to moon containers. --- moon2/templates/deployment.yaml | 42 +++++++++++++++++++++++++++++++++ moon2/values.yaml | 15 ++++++++++++ 2 files changed, 57 insertions(+) diff --git a/moon2/templates/deployment.yaml b/moon2/templates/deployment.yaml index b5e597a..d5e3ccc 100644 --- a/moon2/templates/deployment.yaml +++ b/moon2/templates/deployment.yaml @@ -107,6 +107,12 @@ spec: {{- else -}} {{- $def -}} {{- end }} + {{- if .Values.deployment -}} + {{- with .Values.deployment.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} + {{- end }} ports: - containerPort: 4545 volumeMounts: @@ -165,6 +171,12 @@ spec: {{- else -}} {{- $def -}} {{- end }} + {{- if .Values.deployment -}} + {{- with .Values.deployment.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} + {{- end }} ports: - containerPort: 4444 - name: moon-conf @@ -202,6 +214,12 @@ spec: {{- else -}} {{- $def -}} {{- end }} + {{- if .Values.deployment -}} + {{- with .Values.deployment.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} + {{- end }} {{- if $basicAuth }} {{- if not (eq $basicAuth "kubernetes") }} - name: moon-ui-basic-auth @@ -244,6 +262,12 @@ spec: {{- else -}} {{- $def -}} {{- end }} + {{- if .Values.deployment -}} + {{- with .Values.deployment.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} + {{- end }} ports: - containerPort: 8181 volumeMounts: @@ -294,6 +318,12 @@ spec: {{- else -}} {{- $def -}} {{- end }} + {{- if .Values.deployment -}} + {{- with .Values.deployment.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} + {{- end }} ports: - containerPort: 9191 volumeMounts: @@ -339,6 +369,12 @@ spec: {{- else -}} {{- $def -}} {{- end }} + {{- if .Values.deployment -}} + {{- with .Values.deployment.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} + {{- end }} ports: - containerPort: 9090 {{- end }} @@ -380,6 +416,12 @@ spec: {{- else -}} {{- $def -}} {{- end }} + {{- if .Values.deployment -}} + {{- with .Values.deployment.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} + {{- end }} ports: - containerPort: 8080 volumes: diff --git a/moon2/values.yaml b/moon2/values.yaml index 9432f99..957e4b2 100644 --- a/moon2/values.yaml +++ b/moon2/values.yaml @@ -296,6 +296,21 @@ deployment: securityContext: {} # runAsUser: 1000 + ## + ## Security context for containers running in Moon pod. + ## + containerSecurityContext: {} + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - ALL + # privileged: false + # runAsGroup: 1000 + # runAsNonRoot: true + # runAsUser: 1000 + # seccompProfile: + # type: RuntimeDefault + ## ## Optional fields that specifies the maximum number of pods that can be created over the desired number of pods ## and that can be unavailable during the update. You can use both int and percent values.