Merge pull request #8798 from mwiede/feature/securitycontext

feat(vpa-chart): add pod-level and container-level securitycontext

Author: k8s-ci-robot

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/README.md

@@ -61,9 +61,12 @@ The Vertical Pod Autoscaler (VPA) automatically adjusts the CPU and memory resou
 | admissionController.volumes[0].secret.defaultMode | int | `420` |  |
 | admissionController.volumes[0].secret.secretName | string | `"vpa-tls-certs"` |  |
 | commonLabels | object | `{}` |  |
+| containerSecurityContext | object | `{}` |  |
 | fullnameOverride | string | `nil` |  |
 | imagePullSecrets | list | `[]` |  |
 | nameOverride | string | `nil` |  |
+| podSecurityContext.runAsNonRoot | bool | `true` |  |
+| podSecurityContext.runAsUser | int | `65534` |  |
 | rbac.create | bool | `true` |  |
 | recommender.affinity | object | `{}` |  |
 | recommender.enabled | bool | `true` |  |

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/admission-controller-deployment.yaml

@@ -32,9 +32,10 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName:  {{ include "vertical-pod-autoscaler.admissionController.fullname" . }}
+      {{- with .Values.podSecurityContext }}
       securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
+        {{ toYaml . | nindent 8 | trim }}
+      {{- end }}
       {{- with .Values.admissionController.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -92,6 +93,10 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            {{ toYaml . | nindent 12 | trim }}
+          {{- end }}
       volumes:
         {{- toYaml .Values.admissionController.volumes | nindent 12 }}
 {{- end -}}

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/recommender-deployment.yaml

@@ -32,9 +32,10 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "vertical-pod-autoscaler.recommender.fullname" . }}
+      {{- with .Values.podSecurityContext }}
       securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
+        {{ toYaml . | nindent 8 | trim }}
+      {{- end }}
       containers:
       - name: recommender
         image: {{ include "vertical-pod-autoscaler.recommender.image" . }}
@@ -89,6 +90,10 @@ spec:
         resources:
           {{- toYaml . | nindent 10 }}
         {{- end }}
+        {{- with .Values.containerSecurityContext }}
+        securityContext:
+          {{ toYaml . | nindent 10 | trim }}
+        {{- end }}
       {{- with .Values.recommender.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/updater-deployment.yaml

@@ -28,9 +28,10 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "vertical-pod-autoscaler.updater.fullname" . }}
+      {{- with .Values.podSecurityContext }}
       securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
+        {{ toYaml . | nindent 8 | trim }}
+      {{- end }}
       containers:
         - name: updater
           image: {{ include "vertical-pod-autoscaler.updater.image" . }}
@@ -58,4 +59,8 @@ spec:
               scheme: HTTP
             periodSeconds: 10
             failureThreshold: 3
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            {{ toYaml . | nindent 12 | trim }}
+          {{- end }}
 {{- end -}}

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/values.yaml

@@ -14,6 +14,12 @@ rbac:
   # If `true`, create `ClusterRole` & `ClusterRoleBinding` resources to enable access to the Kubernetes API.
   create: true
 
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 65534
+
+containerSecurityContext: {}
+
 admissionController:
   enabled: true
   image: