Skip to content

Commit c1965cd

Browse files
Merge pull request #1524 from snyk/feat/helm-add-pod-security-context-value
feat: helm add pod security context value
2 parents 5191b13 + 8dd5d6f commit c1965cd

File tree

2 files changed

+35
-13
lines changed

2 files changed

+35
-13
lines changed

snyk-monitor/templates/deployment.yaml

Lines changed: 16 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -33,10 +33,19 @@ spec:
3333
{{- toYaml . | nindent 8 }}
3434
{{- end }}
3535
spec:
36-
{{- with .Values.securityContext.fsGroup }}
37-
securityContext:
38-
fsGroup: {{ int . }}
39-
{{- end }}
36+
{{- with .Values.podSecurityContext }}
37+
securityContext:
38+
{{- $fsGroupOverride := dict }}
39+
{{- if hasKey $.Values.securityContext "fsGroup" }}
40+
{{- $fsGroupOverride = dict "fsGroup" (int $.Values.securityContext.fsGroup) }}
41+
{{- end }}
42+
{{- merge $fsGroupOverride . | toYaml | nindent 8 }}
43+
{{- else }}
44+
{{- if .Values.securityContext.fsGroup }}
45+
securityContext:
46+
fsGroup: {{ int .Values.securityContext.fsGroup }}
47+
{{- end }}
48+
{{- end }}
4049
affinity:
4150
nodeAffinity:
4251
requiredDuringSchedulingIgnoredDuringExecution:
@@ -250,14 +259,10 @@ spec:
250259
exec:
251260
command:
252261
- "true"
262+
{{- with .Values.snykMonitorSecurityContext }}
253263
securityContext:
254-
privileged: false
255-
runAsNonRoot: true
256-
allowPrivilegeEscalation: false
257-
readOnlyRootFilesystem: true
258-
capabilities:
259-
drop:
260-
- ALL
264+
{{- toYaml . | nindent 12 }}
265+
{{- end }}
261266
volumes:
262267
- name: docker-config
263268
secret:

snyk-monitor/values.yaml

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -135,8 +135,25 @@ excludedNamespaces:
135135
# spec:
136136
# securityContext:
137137
# fsGroup: <-- here
138-
securityContext:
139-
fsGroup:
138+
# ... <-- here
139+
securityContext: {}
140+
141+
# Allow specifying the whole object in the PodSpec securityContext:
142+
# spec:
143+
# template:
144+
# spec:
145+
# securityContext:
146+
# ... <-- here
147+
podSecurityContext: {}
148+
149+
snykMonitorSecurityContext:
150+
privileged: false
151+
runAsNonRoot: true
152+
allowPrivilegeEscalation: false
153+
readOnlyRootFilesystem: true
154+
capabilities:
155+
drop:
156+
- ALL
140157

141158
# Set node tolerations for snyk-monitor
142159
tolerations: []

0 commit comments

Comments
 (0)