Merge pull request #499 from kosli-dev/update-helm-chart-for-more-security-context-control

AlexKantor87 · web-flow · commit 2805f3cf637f · 2025-06-04T17:19:22.000+01:00
Allow more control over security context
diff --git a/charts/k8s-reporter/templates/cronjob.yaml b/charts/k8s-reporter/templates/cronjob.yaml
@@ -20,10 +20,24 @@ spec:
           - name: reporter
             image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
             imagePullPolicy: {{ .Values.image.pullPolicy }}
+            {{- if .Values.reporterConfig.securityContext }}
             securityContext:
+              {{- if hasKey .Values.reporterConfig.securityContext "allowPrivilegeEscalation" }}
               allowPrivilegeEscalation: {{ .Values.reporterConfig.securityContext.allowPrivilegeEscalation }}
+              {{- end }}
+              {{- if hasKey .Values.reporterConfig.securityContext "runAsNonRoot" }}
               runAsNonRoot: {{ .Values.reporterConfig.securityContext.runAsNonRoot }}
+              {{- end }}
+              {{- if hasKey .Values.reporterConfig.securityContext "runAsUser" }}
               runAsUser: {{ .Values.reporterConfig.securityContext.runAsUser }}
+              {{- end }}
+              {{- if hasKey .Values.reporterConfig.securityContext "runAsGroup" }}
+              runAsGroup: {{ .Values.reporterConfig.securityContext.runAsGroup }}
+              {{- end }}
+              {{- if hasKey .Values.reporterConfig.securityContext "fsGroup" }}
+              fsGroup: {{ .Values.reporterConfig.securityContext.fsGroup }}
+              {{- end }}
+            {{- end }}
             env:
               - name: KOSLI_ORG
                 value: {{ required ".Values.reporterConfig.kosliOrg is required" .Values.reporterConfig.kosliOrg }}
@@ -59,3 +73,4 @@ spec:
             resources:
 {{ toYaml .Values.resources | indent 14 }}
           restartPolicy: Never
+
diff --git a/charts/k8s-reporter/values.yaml b/charts/k8s-reporter/values.yaml
@@ -56,12 +56,15 @@ reporterConfig:
   httpProxy: ""
 
   # -- the security context for the reporter cronjob
+  # Set to null or {} to disable security context entirely (not recommended)
+  # For OpenShift, you can omit runAsUser to let OpenShift assign the UID
   securityContext:
     # -- whether to allow privilege escalation
     allowPrivilegeEscalation: false
     # -- whether to run as non root
     runAsNonRoot: true
     # -- the user id to run as
+    # Omit this field for OpenShift environments to allow automatic UID assignment
     runAsUser: 1000
 
 # Uncomment the env variable below and replace <instance_name>, if you are on a single tenant Kosli instance
