feat: Add custom settings for pod- and containerSecurityContext instead of global securityContext

Readme.md

@@ -162,7 +162,8 @@ Options for downloading the imgproxy image
 |**resources.deployment.replicas.stepCount**|The max number of pods to be added/dropped during autoscaling step.|`1`|
 |**resources.deployment.replicas.stepSeconds**|The period in seconds (1-1800) during which up to `stepCount` pods can be added or dropped by autoscaler.|`60`|
 |**resources.deployment.resources**|Hash of resource limits for your pods|`{}`|
-|**resources.deployment.securityContext**|Hash of security context settings for your pods|`{}`|
+|**resources.deployment.podSecurityContext**|Hash of security context settings for your pods|`{}`|
+|**resources.deployment.containerSecurityContext**|Hash of security context settings for your containers|`{}`|
 |**resources.deployment.terminationGracePeriodSeconds**|A custom amount of time to terminate the app|`30`|
 |**resources.deployment.tolerations**|Tolerations for Kubernetes taints||
 |**resources.deployment.topologySpreadConstraints**|topologySpreadConstraints for distributing pods across zones|`[]`|

imgproxy/templates/deployment.yaml

@@ -65,8 +65,8 @@ spec:
         {{- end }}
         {{- end }}
       {{- end }}
-      {{- if $.Values.resources.deployment.securityContext }}
-      securityContext: {{ $.Values.resources.deployment.securityContext | toYaml | nindent 8 }}
+      {{- if $.Values.resources.deployment.podSecurityContext }}
+      securityContext: {{ $.Values.resources.deployment.podSecurityContext | toYaml | nindent 8 }}
       {{- end }}
       {{- if $.Values.resources.serviceAccount.existingName }}
       serviceAccountName: {{ $.Values.resources.serviceAccount.existingName | quote }}
@@ -97,6 +97,9 @@ spec:
         - name: "imgproxy"
           image: "{{ .Values.image.repo }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if $.Values.resources.deployment.containerSecurityContext }}
+          securityContext: {{ $.Values.resources.deployment.containerSecurityContext | toYaml | nindent 12 }}
+          {{- end }}
           envFrom:
             - secretRef:
                 name: {{ template "imgproxy.fullname" $ }}-env-secrets

imgproxy/values.yaml

@@ -153,10 +153,21 @@ resources:
 
     # A security context defines privilege and access control settings for the deployment.
     # Check available settings in the documentation by link:
-    # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-    securityContext: {}
-      # allowPrivilegeEscalation: false
+    # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+    podSecurityContext: {}
+    # fsGroup: 999
+
+    # A security context defines privilege and access control settings for containers.
+    # Check available settings in the documentation by link:
+    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+    containerSecurityContext: {}
+      # runAsUser: 999
       # runAsNonRoot: true
+      # allowPrivilegeEscalation: false
+      # capabilities:
+      #   drop: ["ALL"]
+      # seccompProfile:
+      #   type: "RuntimeDefault"
 
     # A custom amount of time (in seconds) to terminate the app after pre-stop hook is called,
     # or a TERM signal is received.