-
Notifications
You must be signed in to change notification settings - Fork 612
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add spec.template.spec.securityContext #1109
Conversation
Signed-off-by: ChristianBieri1995 <122007149+ChristianBieri1995@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about making this configurable in the values.yaml?
Signed-off-by: ChristianBieri1995 <122007149+ChristianBieri1995@users.noreply.github.com>
Signed-off-by: ChristianBieri1995 <122007149+ChristianBieri1995@users.noreply.github.com>
Done, see above. |
Any news on that? Ready to merge? |
Signed-off-by: ChristianBieri1995 <122007149+ChristianBieri1995@users.noreply.github.com>
@k8sgpt-ai/k8sgpt-maintainers |
Should'nt we have the same logic in the operator too? |
Would most probably make sense .... |
Thanks for your contribution, if you have time please add to the operator @ChristianBieri1995 ! |
* feat: add spec.template.spec.securityContext Signed-off-by: ChristianBieri1995 <122007149+ChristianBieri1995@users.noreply.github.com> * make securityContext adjustable Signed-off-by: ChristianBieri1995 <122007149+ChristianBieri1995@users.noreply.github.com> * adjust values.yaml accordingly to enable adjustable securityContext Signed-off-by: ChristianBieri1995 <122007149+ChristianBieri1995@users.noreply.github.com> * Remove default values from securityContext Signed-off-by: ChristianBieri1995 <122007149+ChristianBieri1995@users.noreply.github.com> --------- Signed-off-by: ChristianBieri1995 <122007149+ChristianBieri1995@users.noreply.github.com> Co-authored-by: Aris Boutselis <arisboutselis08@gmail.com> Co-authored-by: Alex Jones <alexsimonjones@gmail.com> Signed-off-by: Alex Jones <alexsimonjones@gmail.com>
📑 Description
Adding spec.template.spec.securityContext in order to solve issues when working with Policy Management Tools such as Open Policy Agent and Gatekeeper (as in my case psp-pods-allowed-user-ranges). User and group were taken from https://github.com/k8sgpt-ai/k8sgpt/blob/main/container/Dockerfile#L37. One could also think about adding runAsNonRoot: true and fsGroup: 65532.
✅ Checks
ℹ Additional Information
Even though being more dynamic, other prominent project such as Grafana handle the securityContext in a similar way, see https://github.com/grafana/helm-charts/blob/main/charts/grafana/values.yaml#L142-L146 & https://github.com/grafana/grafana/blob/main/Dockerfile#L106 & https://github.com/grafana/helm-charts/blob/main/charts/grafana/templates/_pod.tpl#L9-L12