Merge pull request #1525 from snyk/staging

jonnyowenpowell · web-flow · commit a81c0e061848 · 2024-10-01T11:21:38.000+01:00
RELEASE
diff --git a/.snyk b/.snyk
@@ -6,12 +6,12 @@ ignore:
     - '*':
         reason: >-
           Waiting for a patch: https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727
-        expires: 2024-07-19T12:00:00.000Z
+        expires: 2024-12-19T12:00:00.000Z
         created: 2024-05-16T12:00:00.000Z
     SNYK-JS-MICROMATCH-6838728:
     - '*':
         reason: >-
           Waiting for a patch: https://security.snyk.io/vuln/SNYK-JS-MICROMATCH-6838728
-        expires: 2024-07-19T12:00:00.000Z
+        expires: 2024-12-19T12:00:00.000Z
         created: 2024-05-16T12:00:00.000Z
 patch: {}
diff --git a/snyk-monitor/templates/deployment.yaml b/snyk-monitor/templates/deployment.yaml
@@ -33,10 +33,19 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
-      {{- with .Values.securityContext.fsGroup }}
-      securityContext:
-        fsGroup: {{ int . }}
-      {{- end }}
+    {{- with .Values.podSecurityContext }}
+    securityContext:
+    {{- $fsGroupOverride := dict }}
+    {{- if hasKey $.Values.securityContext "fsGroup" }}
+    {{- $fsGroupOverride = dict "fsGroup" (int $.Values.securityContext.fsGroup) }}
+    {{- end }}
+    {{- merge $fsGroupOverride . | toYaml | nindent 8 }}
+    {{- else }}
+    {{- if .Values.securityContext.fsGroup }}
+    securityContext:
+      fsGroup: {{ int .Values.securityContext.fsGroup }}
+    {{- end }}
+    {{- end }}
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -250,14 +259,10 @@ spec:
             exec:
               command:
               - "true"
+          {{- with .Values.snykMonitorSecurityContext }}
           securityContext:
-            privileged: false
-            runAsNonRoot: true
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            capabilities:
-              drop:
-                - ALL
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
       volumes:
         - name: docker-config
           secret:
diff --git a/snyk-monitor/values.yaml b/snyk-monitor/values.yaml
@@ -135,8 +135,25 @@ excludedNamespaces:
 #     spec:
 #       securityContext:
 #         fsGroup: <-- here
-securityContext:
-  fsGroup:
+#         ... <-- here
+securityContext: {}
+
+# Allow specifying the whole object in the PodSpec securityContext:
+# spec:
+#   template:
+#     spec:
+#       securityContext:
+#         ... <-- here
+podSecurityContext: {}
+
+snykMonitorSecurityContext:
+  privileged: false
+  runAsNonRoot: true
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
 
 # Set node tolerations for snyk-monitor
 tolerations: []
