feature: support security context for pod

shoplineapp · Sep 9, 2024 · 651008a · 651008a
1 parent 362d6c3
commit 651008a
Show file tree

Hide file tree

Showing 8 changed files with 66 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -47,6 +47,8 @@ helm dependency update ./helm/preview
 ```
 
 <!-- how to unit test -->
+### Unit test development ###
+https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md  
 ### How to run unit tests
 
 ```bash

diff --git a/cronjob/Chart.yaml b/cronjob/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 description: Helm chart with simple cronjob template
 name: cronjob
-version: 1.0.0
+version: 1.0.1
 appVersion: 1.0.0
 tillerVersion: ">=2.14.3"
diff --git a/cronjob/templates/_argo_cron_workflow.tpl b/cronjob/templates/_argo_cron_workflow.tpl
@@ -33,6 +33,9 @@
     {{- if and (.Values.job) (.Values.job.timeout) }}
     activeDeadlineSeconds: {{.Values.job.timeout }}
     {{- end }}
+    {{- with .Values.securityContextForPod }}
+    securityContext: {{ toYaml . | nindent 6 }}
+    {{- end }}
     metrics:
       prometheus:
         # Metric name (will be prepended with "argo_workflows_")

diff --git a/cronjob/templates/_k8s_cronjob.tpl b/cronjob/templates/_k8s_cronjob.tpl
@@ -20,6 +20,9 @@
           serviceAccountName: {{ .Values.name }}-pod-service-account
           {{- end }}
           restartPolicy: Never
+          {{- with .Values.securityContextForPod }}
+          securityContext: {{ toYaml . | nindent 12 }}
+          {{- end }}
           containers:
             -
               name: app

diff --git a/cronjob/tests/securitycontextforpod_test.yaml b/cronjob/tests/securitycontextforpod_test.yaml
@@ -0,0 +1,46 @@
+suite: SecurityContextForPod Test
+templates:
+  - cronjob.yaml
+tests:
+
+  - it: should render nothing for an argo workflow if securityContextForPod is not specified
+    values:
+      - ./values/cronjob/argo_minimal.yaml
+    asserts:
+      - notExists:
+          path: spec.workflowSpec.securityContext
+
+  - it: should render securityContext for an argo workflow if securityContextForPod is specified
+    values:
+      - ./values/cronjob/argo.yaml
+    asserts:
+      - exists:
+          path: spec.workflowSpec.securityContext
+      - equal:
+          path: spec.workflowSpec.securityContext
+          value:
+            runAsUser: 1000
+            runAsGroup: 1000
+            fsGroup: 1000
+
+  - it: should render securityContext for an argo workflow if securityContextForPod is specified
+    values:
+      - ./values/cronjob/argo.yaml
+    set:
+      securityContextForPod:
+    asserts:
+      - notExists:
+          path: spec.workflowSpec.securityContext
+
+  - it: should render securityContext for a k8s cron job if securityContextForPod is specified
+    values:
+      - ./values/cronjob/k8s.yaml
+    asserts:
+      - exists:
+          path: spec.jobTemplate.spec.template.spec.securityContext
+      - equal:
+          path: spec.jobTemplate.spec.template.spec.securityContext
+          value:
+            runAsUser: 1000
+            runAsGroup: 1000
+            fsGroup: 1000
diff --git a/cronjob/tests/values/cronjob/argo.yaml b/cronjob/tests/values/cronjob/argo.yaml
@@ -63,6 +63,10 @@ serviceaccount:
 pdb:
   enable: true
   minAvailable: 9999
+securityContextForPod:
+  runAsUser: 1000
+  runAsGroup: 1000
+  fsGroup: 1000
 nodeSelector:
   nodegroup: ec-eks-db-cpu-node-autoscaling-group
 tolerations:

diff --git a/cronjob/tests/values/cronjob/k8s.yaml b/cronjob/tests/values/cronjob/k8s.yaml
@@ -32,3 +32,7 @@ resources:
   limits:
     cpu: 500m
     memory: 512Mi
+securityContextForPod:
+  runAsUser: 1000
+  runAsGroup: 1000
+  fsGroup: 1000
diff --git a/cronjob/values.yaml b/cronjob/values.yaml
@@ -158,6 +158,9 @@ suspend: false
 # container-level security attributes
 securityContext: {}
 
+# pod-level security attributes
+securityContextForPod: {}
+
 # Holds strategic merge patch to apply
 # podSpecPatch: ""