From cda1b0552a0d1da5371731607b11083775d404df Mon Sep 17 00:00:00 2001 From: Alexander Kaufmann Date: Thu, 15 May 2025 14:42:40 +0200 Subject: [PATCH] feat: Add custom settings for podSecurityContext and containerSecurityContext instead of global securityContext --- Readme.md | 3 ++- imgproxy/templates/deployment.yaml | 7 +++++-- imgproxy/values.yaml | 17 ++++++++++++++--- 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/Readme.md b/Readme.md index 08ad318..b593cef 100644 --- a/Readme.md +++ b/Readme.md @@ -162,7 +162,8 @@ Options for downloading the imgproxy image |**resources.deployment.replicas.stepCount**|The max number of pods to be added/dropped during autoscaling step.|`1`| |**resources.deployment.replicas.stepSeconds**|The period in seconds (1-1800) during which up to `stepCount` pods can be added or dropped by autoscaler.|`60`| |**resources.deployment.resources**|Hash of resource limits for your pods|`{}`| -|**resources.deployment.securityContext**|Hash of security context settings for your pods|`{}`| +|**resources.deployment.podSecurityContext**|Hash of security context settings for your pods|`{}`| +|**resources.deployment.containerSecurityContext**|Hash of security context settings for your containers|`{}`| |**resources.deployment.terminationGracePeriodSeconds**|A custom amount of time to terminate the app|`30`| |**resources.deployment.tolerations**|Tolerations for Kubernetes taints|| |**resources.deployment.topologySpreadConstraints**|topologySpreadConstraints for distributing pods across zones|`[]`| diff --git a/imgproxy/templates/deployment.yaml b/imgproxy/templates/deployment.yaml index 8abe020..44d4bde 100644 --- a/imgproxy/templates/deployment.yaml +++ b/imgproxy/templates/deployment.yaml @@ -65,8 +65,8 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if $.Values.resources.deployment.securityContext }} - securityContext: {{ $.Values.resources.deployment.securityContext | toYaml | nindent 8 }} + {{- if $.Values.resources.deployment.podSecurityContext }} + securityContext: {{ $.Values.resources.deployment.podSecurityContext | toYaml | nindent 8 }} {{- end }} {{- if $.Values.resources.serviceAccount.existingName }} serviceAccountName: {{ $.Values.resources.serviceAccount.existingName | quote }} @@ -97,6 +97,9 @@ spec: - name: "imgproxy" image: "{{ .Values.image.repo }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if $.Values.resources.deployment.containerSecurityContext }} + securityContext: {{ $.Values.resources.deployment.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} envFrom: - secretRef: name: {{ template "imgproxy.fullname" $ }}-env-secrets diff --git a/imgproxy/values.yaml b/imgproxy/values.yaml index 6d40436..f57cc3b 100644 --- a/imgproxy/values.yaml +++ b/imgproxy/values.yaml @@ -153,10 +153,21 @@ resources: # A security context defines privilege and access control settings for the deployment. # Check available settings in the documentation by link: - # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - securityContext: {} - # allowPrivilegeEscalation: false + # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # fsGroup: 999 + + # A security context defines privilege and access control settings for containers. + # Check available settings in the documentation by link: + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} + # runAsUser: 999 # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: ["ALL"] + # seccompProfile: + # type: "RuntimeDefault" # A custom amount of time (in seconds) to terminate the app after pre-stop hook is called, # or a TERM signal is received.