fix: operator webhook contexts

kubeshop · Jan 16, 2025 · f75f9bc · f75f9bc
1 parent 942014d
commit f75f9bc
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 28 deletions.
diff --git a/charts/testkube-operator/templates/_helpers.tpl b/charts/testkube-operator/templates/_helpers.tpl
@@ -155,9 +155,9 @@ Define podSecurityContext for Webhook Cert Job
 */}}
 {{- define "webhook.podSecurityContext" -}}
 {{- if .Values.global.podSecurityContext }}
-{{ toYaml .Values.global.podSecurityContext }}
+{{- toYaml .Values.global.podSecurityContext }}
 {{- else }}
-{{ toYaml .Values.webhook.patch.podSecurityContext }}
+{{- toYaml .Values.webhook.patch.podSecurityContext }}
 {{- end }}
 {{- end }}
 
@@ -192,4 +192,4 @@ Define containerSecurityContext for patch container
 {{- else }}
 {{- toYaml .Values.webhook.patch.patchWebhookJob.securityContext  }}
 {{- end }}
-{{- end }}
+{{- end }}
diff --git a/charts/testkube-operator/values.yaml b/charts/testkube-operator/values.yaml
@@ -178,14 +178,16 @@ webhook:
     ## Configure Security Context for Migrate Container
     ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
     ##
-    securityContext: {}
-#      readOnlyRootFilesystem: true
-#      allowPrivilegeEscalation: false
-#      seccompProfile:
-#        type: RuntimeDefault
-#      capabilities:
-#        drop:
-#          - ALL
+    securityContext:
+      allowPrivilegeEscalation: false
+      runAsNonRoot: true
+      runAsUser: 1001
+      runAsGroup: 1001
+      fsGroup: 1001
+      capabilities:
+        drop: ["ALL"]
+      seccompProfile:
+        type: RuntimeDefault
     ## Number of retries before considering a Job as failed
     backoffLimit: 1
     ## Resources limits and requests
@@ -215,19 +217,19 @@ webhook:
     ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
     ##
     podSecurityContext: {}
-#      runAsUser: 1000670000
-#      runAsNonRoot: true
 
     createSecretJob:
       ## Create Secret job container security context
-      securityContext: {}
-#        readOnlyRootFilesystem: true
-#        allowPrivilegeEscalation: false
-#        seccompProfile:
-#          type: RuntimeDefault
-#        capabilities:
-#          drop:
-#            - ALL
+      securityContext:
+        allowPrivilegeEscalation: false
+        runAsNonRoot: true
+        runAsUser: 1001
+        runAsGroup: 1001
+        fsGroup: 1001
+        capabilities:
+          drop: ["ALL"]
+        seccompProfile:
+          type: RuntimeDefault
       ## Create Secret resource requests and limits
       resources: {}
 

diff --git a/charts/testkube/values.yaml b/charts/testkube/values.yaml
@@ -1052,8 +1052,15 @@ testkube-operator:
       # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
       # -- Security Context for webhook migrate Container
       securityContext:
-        # -- Make root filesystem of the container read-only
-        readOnlyRootFilesystem: true
+        allowPrivilegeEscalation: false
+        runAsNonRoot: true
+        runAsUser: 1001
+        runAsGroup: 1001
+        fsGroup: 1001
+        capabilities:
+          drop: ["ALL"]
+        seccompProfile:
+          type: RuntimeDefault
 
       # -- Number of retries before considering a Job as failed
       backoffLimit: 1
@@ -1104,18 +1111,23 @@ testkube-operator:
         # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
         # -- Security Context for webhook create container
         securityContext:
-          # -- Make root filesystem of the container read-only
-          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          runAsUser: 1001
+          runAsGroup: 1001
+          fsGroup: 1001
+          capabilities:
+            drop: ["ALL"]
+          seccompProfile:
+            type: RuntimeDefault
         # -- kube-webhook-certgen create secret Job resource settings
         resources: {}
 
       # Patch Job config
       patchWebhookJob:
         # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
         # -- Security Context for webhook patch container
-        securityContext:
-          # -- Make root filesystem of the container read-only
-          readOnlyRootFilesystem: true
+        securityContext: {}
         # -- kube-webhook-certgen patch webhook Job resource settings
         resources: {}