Merge pull request #3 from iits-consulting/security-context

canaykin · web-flow · commit df3bc431d98f · 2025-09-15T15:51:13.000+02:00
- add securityContext (pod and container) settings for deployment
- fix docker image repo address
diff --git a/Makefile b/Makefile
@@ -2,7 +2,7 @@ GO ?= $(shell which go)
 OS ?= $(shell $(GO) env GOOS)
 ARCH ?= $(shell $(GO) env GOARCH)
 
-IMAGE_NAME := "iits-consulting/cert-manager-webhook-opentelekomcloud"
+IMAGE_NAME := "ghcr.io/iits-consulting/cert-manager-webhook-opentelekomcloud"
 IMAGE_TAG  ?= "v0.1.5"
 
 OUT := $(shell pwd)/_out
diff --git a/charts/cert-manager-webhook-opentelekomcloud/Chart.yaml b/charts/cert-manager-webhook-opentelekomcloud/Chart.yaml
@@ -2,4 +2,4 @@ apiVersion: v1
 appVersion: "v0.1.5"
 description: ACME DNS01 solver webhook for Open Telekom Cloud DNS
 name: cert-manager-webhook-opentelekomcloud
-version: 0.1.5
+version: 0.1.5-security-context
diff --git a/charts/cert-manager-webhook-opentelekomcloud/templates/deployment.yaml b/charts/cert-manager-webhook-opentelekomcloud/templates/deployment.yaml
@@ -21,6 +21,10 @@ spec:
         release: {{ .Release.Name }}
     spec:
       serviceAccountName: {{ include "cert-manager-webhook-opentelekomcloud.fullname" . }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+{{ toYaml . | indent 8 }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -54,6 +58,10 @@ spec:
             - name: certs
               mountPath: /tls
               readOnly: true
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+{{ toYaml . | indent 12 }}
+          {{- end }}
           resources:
 {{ toYaml .Values.resources | indent 12 }}
       volumes:
diff --git a/charts/cert-manager-webhook-opentelekomcloud/values.yaml b/charts/cert-manager-webhook-opentelekomcloud/values.yaml
@@ -15,7 +15,7 @@ certManager:
   serviceAccountName: cert-manager
 
 image:
-  repository: iits-consulting/cert-manager-webhook-opentelekomcloud
+  repository: ghcr.io/iits-consulting/cert-manager-webhook-opentelekomcloud
   tag: v0.1.5
   pullPolicy: IfNotPresent
 
@@ -24,6 +24,24 @@ replicaCount: 1
 nameOverride: ""
 fullnameOverride: ""
 
+podSecurityContext:
+  runAsNonRoot: false
+  seccompProfile:
+    type: RuntimeDefault
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    add:
+      - NET_BIND_SERVICE
+    drop:
+      - ALL
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: false
+  seccompProfile:
+    type: RuntimeDefault
+
 service:
   type: ClusterIP
   port: 443
