Merge pull request #369 from wtzhang23/add-security-context

Add security context to istio-csr deployment
cert-manager · Aug 2, 2024 · c9b43fa · c9b43fa
2 parents 55d468c + 266af59
commit c9b43fa
Show file tree

Hide file tree

Showing 4 changed files with 87 additions and 0 deletions.
diff --git a/deploy/charts/istio-csr/README.md b/deploy/charts/istio-csr/README.md
@@ -428,6 +428,26 @@ resources:
     cpu: 100m
     memory: 128Mi
 ```
+#### **securityContext.allowPrivilegeEscalation** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+#### **securityContext.readOnlyRootFilesystem** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+#### **securityContext.runAsNonRoot** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+#### **securityContext.capabilities.drop[0]** ~ `string`
+> Default value:
+> ```yaml
+> ALL
+> ```
 #### **affinity** ~ `object`
 > Default value:
 > ```yaml

diff --git a/deploy/charts/istio-csr/templates/deployment.yaml b/deploy/charts/istio-csr/templates/deployment.yaml
@@ -120,6 +120,9 @@ spec:
         resources:
           {{- toYaml .Values.resources | nindent 12 }}
 
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 12 }}
+
       {{- if .Values.volumes }}
       volumes:
 {{ toYaml .Values.volumes | indent 6 }}

diff --git a/deploy/charts/istio-csr/values.schema.json b/deploy/charts/istio-csr/values.schema.json
@@ -33,6 +33,9 @@
         "resources": {
           "$ref": "#/$defs/helm-values.resources"
         },
+        "securityContext": {
+          "$ref": "#/$defs/helm-values.securityContext"
+        },
         "service": {
           "$ref": "#/$defs/helm-values.service"
         },
@@ -583,6 +586,55 @@
       "description": "Kubernetes pod resources\nref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/\n\nFor example:\nresources:\n  limits:\n    cpu: 100m\n    memory: 128Mi\n  requests:\n    cpu: 100m\n    memory: 128Mi",
       "type": "object"
     },
+    "helm-values.securityContext": {
+      "additionalProperties": false,
+      "properties": {
+        "allowPrivilegeEscalation": {
+          "$ref": "#/$defs/helm-values.securityContext.allowPrivilegeEscalation"
+        },
+        "capabilities": {
+          "$ref": "#/$defs/helm-values.securityContext.capabilities"
+        },
+        "readOnlyRootFilesystem": {
+          "$ref": "#/$defs/helm-values.securityContext.readOnlyRootFilesystem"
+        },
+        "runAsNonRoot": {
+          "$ref": "#/$defs/helm-values.securityContext.runAsNonRoot"
+        }
+      },
+      "type": "object"
+    },
+    "helm-values.securityContext.allowPrivilegeEscalation": {
+      "default": false,
+      "type": "boolean"
+    },
+    "helm-values.securityContext.capabilities": {
+      "additionalProperties": false,
+      "properties": {
+        "drop": {
+          "$ref": "#/$defs/helm-values.securityContext.capabilities.drop"
+        }
+      },
+      "type": "object"
+    },
+    "helm-values.securityContext.capabilities.drop": {
+      "items": {
+        "$ref": "#/$defs/helm-values.securityContext.capabilities.drop[0]"
+      },
+      "type": "array"
+    },
+    "helm-values.securityContext.capabilities.drop[0]": {
+      "default": "ALL",
+      "type": "string"
+    },
+    "helm-values.securityContext.readOnlyRootFilesystem": {
+      "default": true,
+      "type": "boolean"
+    },
+    "helm-values.securityContext.runAsNonRoot": {
+      "default": true,
+      "type": "boolean"
+    },
     "helm-values.service": {
       "additionalProperties": false,
       "properties": {

diff --git a/deploy/charts/istio-csr/values.yaml b/deploy/charts/istio-csr/values.yaml
@@ -243,6 +243,18 @@ volumeMounts: []
 #      memory: 128Mi
 resources: {}
 
+# Kubernetes security context
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+#
+# See the default values for an example.
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  capabilities:
+    drop:
+    - ALL
+
 # Expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
 #
 # For example: