Add container securityContext (#1252)

tuteng · web-flow · commit b3fca9cb12d8 · 2025-10-31T12:29:49.000+08:00
diff --git a/charts/sn-platform-slim/templates/toolset/jwt-secret-init-job.yaml b/charts/sn-platform-slim/templates/toolset/jwt-secret-init-job.yaml
@@ -60,8 +60,8 @@ spec:
       - name: "{{ template "pulsar.fullname" . }}-jwt-secret-init"
         image: "{{ .Values.images.toolset.repository }}:{{ .Values.images.toolset.tag }}"
         imagePullPolicy: {{ .Values.images.toolset.pullPolicy }}
-        {{- if .Values.toolset.securityContext }}
-        securityContext: {{- toYaml .Values.toolset.securityContext | nindent 10 }}
+        {{- if .Values.toolset.containerSecurityContext }}
+        securityContext: {{- toYaml .Values.toolset.containerSecurityContext | nindent 10 }}
         {{- end }}
         command: ["bash", "-c"]
         args:
diff --git a/charts/sn-platform-slim/templates/toolset/toolset-statefulset.yaml b/charts/sn-platform-slim/templates/toolset/toolset-statefulset.yaml
@@ -110,6 +110,9 @@ spec:
         resources:
 {{ toYaml .Values.toolset.resources | indent 10 }}
       {{- end }}
+        {{- if .Values.toolset.containerSecurityContext }}
+        securityContext: {{- toYaml .Values.toolset.containerSecurityContext | nindent 10 }}
+        {{- end }}
         command: ["sh", "-c"]
         args:
         - >
diff --git a/charts/sn-platform-slim/values.yaml b/charts/sn-platform-slim/values.yaml
@@ -1819,6 +1819,10 @@ toolset:
     runAsUser: 10000
     runAsGroup: 10000
     fsGroup: 10000
+  containerSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 10000
+    runAsGroup: 10000
   serviceAccount:
     # Specifies whether to use a service account to run this component
     use: true
diff --git a/charts/sn-platform/templates/toolset/jwt-secret-init-job.yaml b/charts/sn-platform/templates/toolset/jwt-secret-init-job.yaml
@@ -60,8 +60,8 @@ spec:
       - name: "{{ template "pulsar.fullname" . }}-jwt-secret-init"
         image: "{{ .Values.images.toolset.repository }}:{{ .Values.images.toolset.tag }}"
         imagePullPolicy: {{ .Values.images.toolset.pullPolicy }}
-        {{- if .Values.toolset.securityContext }}
-        securityContext: {{- toYaml .Values.toolset.securityContext | nindent 10 }}
+        {{- if .Values.toolset.containerSecurityContext }}
+        securityContext: {{- toYaml .Values.toolset.containerSecurityContext | nindent 10 }}
         {{- end }}
         command: ["bash", "-c"]
         args:
diff --git a/charts/sn-platform/templates/toolset/toolset-statefulset.yaml b/charts/sn-platform/templates/toolset/toolset-statefulset.yaml
@@ -110,6 +110,9 @@ spec:
         resources:
 {{ toYaml .Values.toolset.resources | indent 10 }}
       {{- end }}
+        {{- if .Values.toolset.containerSecurityContext }}
+        securityContext: {{- toYaml .Values.toolset.containerSecurityContext | nindent 10 }}
+        {{- end }}
         command: ["sh", "-c"]
         args:
         - >
diff --git a/charts/sn-platform/values.yaml b/charts/sn-platform/values.yaml
@@ -1899,6 +1899,10 @@ toolset:
     runAsUser: 10000
     runAsGroup: 10000
     fsGroup: 10000
+  containerSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 10000
+    runAsGroup: 10000
   serviceAccount:
     # Specifies whether to use a service account to run this component
     use: true
