Add configuration for security contexts

mikeshootzz · mikeshootzz · commit df0fe74e7b31 · 2026-02-02T13:45:05.000+01:00
diff --git a/charts/rcloneproxy/templates/deployment.yaml b/charts/rcloneproxy/templates/deployment.yaml
@@ -14,10 +14,42 @@ spec:
       labels:
         app: rcloneproxy
     spec:
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext:
+        {{- if .Values.podSecurityContext.fsGroup }}
+        fsGroup: {{ .Values.podSecurityContext.fsGroup }}
+        {{- end }}
+        {{- if .Values.podSecurityContext.fsGroupChangePolicy }}
+        fsGroupChangePolicy: {{ .Values.podSecurityContext.fsGroupChangePolicy }}
+        {{- end }}
+        {{- if .Values.podSecurityContext.seLinuxOptions }}
+        seLinuxOptions:
+          {{- toYaml .Values.podSecurityContext.seLinuxOptions | nindent 10 }}
+        {{- end }}
+      {{- end }}
       initContainers:
         - name: generate-config
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.containerSecurityContext.enabled }}
+          securityContext:
+            {{- if .Values.containerSecurityContext.runAsUser }}
+            runAsUser: {{ .Values.containerSecurityContext.runAsUser }}
+            {{- end }}
+            {{- if .Values.containerSecurityContext.runAsNonRoot }}
+            runAsNonRoot: {{ .Values.containerSecurityContext.runAsNonRoot }}
+            {{- end }}
+            {{- if ne .Values.containerSecurityContext.allowPrivilegeEscalation nil }}
+            allowPrivilegeEscalation: {{ .Values.containerSecurityContext.allowPrivilegeEscalation }}
+            {{- end }}
+            {{- if ne .Values.containerSecurityContext.readOnlyRootFilesystem nil }}
+            readOnlyRootFilesystem: {{ .Values.containerSecurityContext.readOnlyRootFilesystem }}
+            {{- end }}
+            {{- if .Values.containerSecurityContext.capabilities }}
+            capabilities:
+              {{- toYaml .Values.containerSecurityContext.capabilities | nindent 14 }}
+            {{- end }}
+          {{- end }}
           command:
             - /bin/sh
             - -c
@@ -94,6 +126,25 @@ spec:
         - name: rcloneproxy
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.containerSecurityContext.enabled }}
+          securityContext:
+            {{- if .Values.containerSecurityContext.runAsUser }}
+            runAsUser: {{ .Values.containerSecurityContext.runAsUser }}
+            {{- end }}
+            {{- if .Values.containerSecurityContext.runAsNonRoot }}
+            runAsNonRoot: {{ .Values.containerSecurityContext.runAsNonRoot }}
+            {{- end }}
+            {{- if ne .Values.containerSecurityContext.allowPrivilegeEscalation nil }}
+            allowPrivilegeEscalation: {{ .Values.containerSecurityContext.allowPrivilegeEscalation }}
+            {{- end }}
+            {{- if ne .Values.containerSecurityContext.readOnlyRootFilesystem nil }}
+            readOnlyRootFilesystem: {{ .Values.containerSecurityContext.readOnlyRootFilesystem }}
+            {{- end }}
+            {{- if .Values.containerSecurityContext.capabilities }}
+            capabilities:
+              {{- toYaml .Values.containerSecurityContext.capabilities | nindent 14 }}
+            {{- end }}
+          {{- end }}
           command:
             - /bin/sh
             - -c
diff --git a/charts/rcloneproxy/values.yaml b/charts/rcloneproxy/values.yaml
@@ -43,3 +43,32 @@ resources:
   limits:
     memory: "512Mi"
     cpu: "25m"
+
+# -- Pod security context configuration
+podSecurityContext:
+  # -- Enable pod security context
+  enabled: true
+  # -- FSGroup for volume ownership
+  fsGroup: 65532
+  # -- FSGroupChangePolicy for volume ownership changes
+  fsGroupChangePolicy: "OnRootMismatch"
+  # -- SELinux options for OpenShift compatibility
+  seLinuxOptions: {}
+    # type: "spc_t"
+
+# -- Container security context configuration
+containerSecurityContext:
+  # -- Enable container security context
+  enabled: true
+  # -- Run as non-root user
+  runAsNonRoot: true
+  # -- User ID to run the container
+  runAsUser: 65532
+  # -- Disallow privilege escalation
+  allowPrivilegeEscalation: false
+  # -- Read-only root filesystem
+  readOnlyRootFilesystem: false
+  # -- Linux capabilities to drop
+  capabilities:
+    drop:
+      - ALL
