feat: Add ability to define securityContext and podSecurityContext (#178)

Signed-off-by: Marco Maurer <mkilchhofer@users.noreply.github.com>
Co-authored-by: Joshua Wright <19779568+joshw123@users.noreply.github.com>

Author: mkilchhofer

deploy/charts/version-checker/README.md

@@ -40,6 +40,7 @@ A Helm chart for version-checker
 | livenessProbe.initialDelaySeconds | int | `3` | Number of seconds after the container has started before liveness probes are initiated. |
 | livenessProbe.periodSeconds | int | `3` | How often (in seconds) to perform the livenessProbe. |
 | nodeSelector | object | `{}` | Configure nodeSelector |
+| podSecurityContext | object | `{}` | Set pod-level security context |
 | prometheus.enabled | bool | `false` | Deploy a Prometheus-Operator Prometheus Object to collect version-checker metrics |
 | prometheus.replicas | int | `1` | Number of Prometheus replicas to create |
 | prometheus.serviceAccountName | string | `"prometheus"` | ServiceAccount for new Prometheus Object |
@@ -51,6 +52,7 @@ A Helm chart for version-checker
 | readinessProbe.periodSeconds | int | `3` | How often (in seconds) to perform the readinessProbe. |
 | replicaCount | int | `1` | Replica Count for version-checker |
 | resources | object | `{}` | Setup version-checkers resource requests/limits |
+| securityContext | object | `{}` | Set container-level security context |
 | selfhosted | []{name: "", host: "", username:"", password:"", token:""}] | `[]` | Setup a number of SelfHosted Repositories and their credentials |
 | service.annotations | object | `{}` | Additional annotations to add to the service |
 | service.labels | object | `{}` | Additional labels to add to the service |

deploy/charts/version-checker/templates/deployment.yaml

@@ -54,6 +54,10 @@ spec:
           - "--test-all-containers={{.Values.versionChecker.testAllContainers}}"
         resources:
           {{- toYaml .Values.resources | nindent 12 }}
+        {{- with .Values.securityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         {{- if .Values.livenessProbe.enabled }}
         livenessProbe:
           {{- omit .Values.livenessProbe "enabled" | toYaml | nindent 10}}
@@ -202,7 +206,10 @@ spec:
         {{- if .Values.env }}
         {{- toYaml .Values.env | nindent 8 }}
         {{- end }}
-
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
         {{- if $secretEnabled }}
         - name: {{ include "version-checker.name" . }}

deploy/charts/version-checker/tests/deployment_test.yaml

@@ -425,3 +425,21 @@ tests:
       - equal:
           path: spec.template.metadata.annotations["foo"]
           value: bar
+
+  - it: (Pod-)SecurityContext is reflected
+    set:
+      podSecurityContext:
+        runAsUser: 65534
+      securityContext:
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext
+          value:
+            runAsUser: 65534
+      - equal:
+          path: spec.template.spec.containers[0].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true

deploy/charts/version-checker/values.yaml

@@ -118,6 +118,21 @@ resources:
   #   memory: 128Mi
   #
 
+# -- Set container-level security context
+securityContext: {}
+  # allowPrivilegeEscalation: false
+  # capabilities:
+  #   drop:
+  #     - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 65534
+  # seccompProfile:
+  #   type: RuntimeDefault
+
+# -- Set pod-level security context
+podSecurityContext: {}
+
 # Configure the readiness probe for version-checker
 readinessProbe:
   # -- Enable/Disable the setting of a readinessProbe