Add configuration for security contexts

mikeshootzz · mikeshootzz · commit 51b27d911c0d · 2026-02-02T13:45:23.000+01:00
diff --git a/charts/rcloneproxy/README.md b/charts/rcloneproxy/README.md
@@ -41,11 +41,23 @@ A Helm chart for deploying rclone as an intermediate s3 proxy
 | backend.secretRef.keys.endpoint | string | `"endpoint"` | Key for S3 endpoint URL |
 | backend.secretRef.keys.region | string | `"region"` | Key for S3 region |
 | backend.secretRef.name | string | `""` | Name of the secret containing backend credentials |
+| containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"enabled":true,"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":65532}` | Container security context configuration |
+| containerSecurityContext.allowPrivilegeEscalation | bool | `false` | Disallow privilege escalation |
+| containerSecurityContext.capabilities | object | `{"drop":["ALL"]}` | Linux capabilities to drop |
+| containerSecurityContext.enabled | bool | `true` | Enable container security context |
+| containerSecurityContext.readOnlyRootFilesystem | bool | `false` | Read-only root filesystem |
+| containerSecurityContext.runAsNonRoot | bool | `true` | Run as non-root user |
+| containerSecurityContext.runAsUser | int | `65532` | User ID to run the container |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | image.repository | string | `"rclone/rclone"` | Image repository for rclone |
 | image.tag | string | `"sha-73bcae2"` | Configure the image tag. To update to a newer version, use the commit sha from the tagged release |
+| podSecurityContext | object | `{"enabled":true,"fsGroup":65532,"fsGroupChangePolicy":"OnRootMismatch","seLinuxOptions":{}}` | Pod security context configuration |
+| podSecurityContext.enabled | bool | `true` | Enable pod security context |
+| podSecurityContext.fsGroup | int | `65532` | FSGroup for volume ownership |
+| podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` | FSGroupChangePolicy for volume ownership changes |
+| podSecurityContext.seLinuxOptions | object | `{}` | SELinux options for OpenShift compatibility |
 | replicaCount | int | `1` | Number of replicas |
-| resources | object | `{"limits":{"cpu":"25m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"96Mi"}}` | Resource requests and limits |
+| resources | object | `{"limits":{"cpu":"25m","memory":"512Mi"},"requests":{"cpu":"10m","memory":"256Mi"}}` | Resource requests and limits |
 | service | object | `{"port":9095,"type":"ClusterIP"}` | Service configuration |
 | service.port | int | `9095` | Service port (rclone S3 server port) |
 | service.type | string | `"ClusterIP"` | Service type |
diff --git a/charts/rcloneproxy/templates/deployment.yaml b/charts/rcloneproxy/templates/deployment.yaml
@@ -14,10 +14,42 @@ spec:
       labels:
         app: rcloneproxy
     spec:
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext:
+        {{- if .Values.podSecurityContext.fsGroup }}
+        fsGroup: {{ .Values.podSecurityContext.fsGroup }}
+        {{- end }}
+        {{- if .Values.podSecurityContext.fsGroupChangePolicy }}
+        fsGroupChangePolicy: {{ .Values.podSecurityContext.fsGroupChangePolicy }}
+        {{- end }}
+        {{- if .Values.podSecurityContext.seLinuxOptions }}
+        seLinuxOptions:
+          {{- toYaml .Values.podSecurityContext.seLinuxOptions | nindent 10 }}
+        {{- end }}
+      {{- end }}
       initContainers:
         - name: generate-config
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.containerSecurityContext.enabled }}
+          securityContext:
+            {{- if .Values.containerSecurityContext.runAsUser }}
+            runAsUser: {{ .Values.containerSecurityContext.runAsUser }}
+            {{- end }}
+            {{- if .Values.containerSecurityContext.runAsNonRoot }}
+            runAsNonRoot: {{ .Values.containerSecurityContext.runAsNonRoot }}
+            {{- end }}
+            {{- if ne .Values.containerSecurityContext.allowPrivilegeEscalation nil }}
+            allowPrivilegeEscalation: {{ .Values.containerSecurityContext.allowPrivilegeEscalation }}
+            {{- end }}
+            {{- if ne .Values.containerSecurityContext.readOnlyRootFilesystem nil }}
+            readOnlyRootFilesystem: {{ .Values.containerSecurityContext.readOnlyRootFilesystem }}
+            {{- end }}
+            {{- if .Values.containerSecurityContext.capabilities }}
+            capabilities:
+              {{- toYaml .Values.containerSecurityContext.capabilities | nindent 14 }}
+            {{- end }}
+          {{- end }}
           command:
             - /bin/sh
             - -c
@@ -94,6 +126,25 @@ spec:
         - name: rcloneproxy
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.containerSecurityContext.enabled }}
+          securityContext:
+            {{- if .Values.containerSecurityContext.runAsUser }}
+            runAsUser: {{ .Values.containerSecurityContext.runAsUser }}
+            {{- end }}
+            {{- if .Values.containerSecurityContext.runAsNonRoot }}
+            runAsNonRoot: {{ .Values.containerSecurityContext.runAsNonRoot }}
+            {{- end }}
+            {{- if ne .Values.containerSecurityContext.allowPrivilegeEscalation nil }}
+            allowPrivilegeEscalation: {{ .Values.containerSecurityContext.allowPrivilegeEscalation }}
+            {{- end }}
+            {{- if ne .Values.containerSecurityContext.readOnlyRootFilesystem nil }}
+            readOnlyRootFilesystem: {{ .Values.containerSecurityContext.readOnlyRootFilesystem }}
+            {{- end }}
+            {{- if .Values.containerSecurityContext.capabilities }}
+            capabilities:
+              {{- toYaml .Values.containerSecurityContext.capabilities | nindent 14 }}
+            {{- end }}
+          {{- end }}
           command:
             - /bin/sh
             - -c
diff --git a/charts/rcloneproxy/values.yaml b/charts/rcloneproxy/values.yaml
@@ -43,3 +43,32 @@ resources:
   limits:
     memory: "512Mi"
     cpu: "25m"
+
+# -- Pod security context configuration
+podSecurityContext:
+  # -- Enable pod security context
+  enabled: true
+  # -- FSGroup for volume ownership
+  fsGroup: 65532
+  # -- FSGroupChangePolicy for volume ownership changes
+  fsGroupChangePolicy: "OnRootMismatch"
+  # -- SELinux options for OpenShift compatibility
+  seLinuxOptions: {}
+    # type: "spc_t"
+
+# -- Container security context configuration
+containerSecurityContext:
+  # -- Enable container security context
+  enabled: true
+  # -- Run as non-root user
+  runAsNonRoot: true
+  # -- User ID to run the container
+  runAsUser: 65532
+  # -- Disallow privilege escalation
+  allowPrivilegeEscalation: false
+  # -- Read-only root filesystem
+  readOnlyRootFilesystem: false
+  # -- Linux capabilities to drop
+  capabilities:
+    drop:
+      - ALL
