Merge pull request #1524 from snyk/feat/helm-add-pod-security-context-value

jonnyowenpowell · web-flow · commit c1965cdaf09c · 2024-10-01T11:06:00.000+01:00
feat: helm add pod security context value
diff --git a/snyk-monitor/templates/deployment.yaml b/snyk-monitor/templates/deployment.yaml
@@ -33,10 +33,19 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
-      {{- with .Values.securityContext.fsGroup }}
-      securityContext:
-        fsGroup: {{ int . }}
-      {{- end }}
+    {{- with .Values.podSecurityContext }}
+    securityContext:
+    {{- $fsGroupOverride := dict }}
+    {{- if hasKey $.Values.securityContext "fsGroup" }}
+    {{- $fsGroupOverride = dict "fsGroup" (int $.Values.securityContext.fsGroup) }}
+    {{- end }}
+    {{- merge $fsGroupOverride . | toYaml | nindent 8 }}
+    {{- else }}
+    {{- if .Values.securityContext.fsGroup }}
+    securityContext:
+      fsGroup: {{ int .Values.securityContext.fsGroup }}
+    {{- end }}
+    {{- end }}
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -250,14 +259,10 @@ spec:
             exec:
               command:
               - "true"
+          {{- with .Values.snykMonitorSecurityContext }}
           securityContext:
-            privileged: false
-            runAsNonRoot: true
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            capabilities:
-              drop:
-                - ALL
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
       volumes:
         - name: docker-config
           secret:
diff --git a/snyk-monitor/values.yaml b/snyk-monitor/values.yaml
@@ -135,8 +135,25 @@ excludedNamespaces:
 #     spec:
 #       securityContext:
 #         fsGroup: <-- here
-securityContext:
-  fsGroup:
+#         ... <-- here
+securityContext: {}
+
+# Allow specifying the whole object in the PodSpec securityContext:
+# spec:
+#   template:
+#     spec:
+#       securityContext:
+#         ... <-- here
+podSecurityContext: {}
+
+snykMonitorSecurityContext:
+  privileged: false
+  runAsNonRoot: true
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
 
 # Set node tolerations for snyk-monitor
 tolerations: []
