fix(chart): Add NET_BIND_SERVICE capability to be able to start nginx binary with cap_net_bind_service

PSanetra · PSanetra · commit c9f6ba5bb03e · 2024-08-09T13:09:17.000+02:00
diff --git a/chart/tests/__snapshot__/deployment_test.yaml.snap b/chart/tests/__snapshot__/deployment_test.yaml.snap
@@ -55,6 +55,8 @@ should mount tls secret if openshift.route.enabled and openshift.route.tls.termi
                   memory: 512Mi
               securityContext:
                 capabilities:
+                  add:
+                    - NET_BIND_SERVICE
                   drop:
                     - ALL
                 readOnlyRootFilesystem: true
@@ -150,6 +152,8 @@ should not render replicas if autoscaling is enabled:
                   memory: 512Mi
               securityContext:
                 capabilities:
+                  add:
+                    - NET_BIND_SERVICE
                   drop:
                     - ALL
                 readOnlyRootFilesystem: true
@@ -238,6 +242,8 @@ should render minimal values:
                   memory: 512Mi
               securityContext:
                 capabilities:
+                  add:
+                    - NET_BIND_SERVICE
                   drop:
                     - ALL
                 readOnlyRootFilesystem: true
@@ -335,6 +341,8 @@ should render with affinity:
                   memory: 512Mi
               securityContext:
                 capabilities:
+                  add:
+                    - NET_BIND_SERVICE
                   drop:
                     - ALL
                 readOnlyRootFilesystem: true
@@ -423,6 +431,8 @@ should render with extra volume:
                   memory: 512Mi
               securityContext:
                 capabilities:
+                  add:
+                    - NET_BIND_SERVICE
                   drop:
                     - ALL
                 readOnlyRootFilesystem: true
@@ -518,6 +528,8 @@ should render with nodeSelector:
                   memory: 512Mi
               securityContext:
                 capabilities:
+                  add:
+                    - NET_BIND_SERVICE
                   drop:
                     - ALL
                 readOnlyRootFilesystem: true
@@ -608,6 +620,8 @@ should render with pull secret:
                   memory: 512Mi
               securityContext:
                 capabilities:
+                  add:
+                    - NET_BIND_SERVICE
                   drop:
                     - ALL
                 readOnlyRootFilesystem: true
@@ -698,6 +712,8 @@ should render with tolerations:
                   memory: 512Mi
               securityContext:
                 capabilities:
+                  add:
+                    - NET_BIND_SERVICE
                   drop:
                     - ALL
                 readOnlyRootFilesystem: true
@@ -790,6 +806,8 @@ should support alternative http port:
                   memory: 512Mi
               securityContext:
                 capabilities:
+                  add:
+                    - NET_BIND_SERVICE
                   drop:
                     - ALL
                 readOnlyRootFilesystem: true
@@ -881,6 +899,8 @@ should support alternative https port:
                   memory: 512Mi
               securityContext:
                 capabilities:
+                  add:
+                    - NET_BIND_SERVICE
                   drop:
                     - ALL
                 readOnlyRootFilesystem: true
@@ -972,6 +992,8 @@ should support enabling https:
                   memory: 512Mi
               securityContext:
                 capabilities:
+                  add:
+                    - NET_BIND_SERVICE
                   drop:
                     - ALL
                 readOnlyRootFilesystem: true
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -53,6 +53,8 @@ pod:
       capabilities:
         drop:
           - ALL
+        add:
+          - NET_BIND_SERVICE
       readOnlyRootFilesystem: true
       runAsNonRoot: true
     livenessProbe:
