From 772bbc95ccb988030e6a5bf5484775daafe26c84 Mon Sep 17 00:00:00 2001
From: William <wtzhang23@gmail.com>
Date: Thu, 1 Aug 2024 19:19:18 -0700
Subject: [PATCH 1/2] add security context

Signed-off-by: William <wtzhang23@gmail.com>
---
 deploy/charts/istio-csr/README.md                 | 15 +++++++++++++++
 deploy/charts/istio-csr/templates/deployment.yaml | 12 ++++++++++++
 deploy/charts/istio-csr/values.schema.json        |  8 ++++++++
 deploy/charts/istio-csr/values.yaml               |  8 ++++++++
 4 files changed, 43 insertions(+)

diff --git a/deploy/charts/istio-csr/README.md b/deploy/charts/istio-csr/README.md
index 7c7540d3..2a3ec32b 100644
--- a/deploy/charts/istio-csr/README.md
+++ b/deploy/charts/istio-csr/README.md
@@ -428,6 +428,21 @@ resources:
     cpu: 100m
     memory: 128Mi
 ```
+#### **seccompProfile** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Kubernetes security context seccomp profile  
+ref: https://kubernetes.io/docs/tutorials/security/seccomp/  
+  
+For example:
+
+```yaml
+seccompProfile:
+  type: RuntimeDefault
+```
 #### **affinity** ~ `object`
 > Default value:
 > ```yaml
diff --git a/deploy/charts/istio-csr/templates/deployment.yaml b/deploy/charts/istio-csr/templates/deployment.yaml
index e40d5261..9011b6af 100644
--- a/deploy/charts/istio-csr/templates/deployment.yaml
+++ b/deploy/charts/istio-csr/templates/deployment.yaml
@@ -120,6 +120,18 @@ spec:
         resources:
           {{- toYaml .Values.resources | nindent 12 }}
 
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop:
+            - ALL
+          {{- if .Values.seccompProfile }}
+          seccompProfile:
+            {{ toYaml .Values.seccompProfile | indent 14 }}
+          {{- end }}
+
       {{- if .Values.volumes }}
       volumes:
 {{ toYaml .Values.volumes | indent 6 }}
diff --git a/deploy/charts/istio-csr/values.schema.json b/deploy/charts/istio-csr/values.schema.json
index 2739f866..af0f1ce5 100644
--- a/deploy/charts/istio-csr/values.schema.json
+++ b/deploy/charts/istio-csr/values.schema.json
@@ -33,6 +33,9 @@
         "resources": {
           "$ref": "#/$defs/helm-values.resources"
         },
+        "seccompProfile": {
+          "$ref": "#/$defs/helm-values.seccompProfile"
+        },
         "service": {
           "$ref": "#/$defs/helm-values.service"
         },
@@ -583,6 +586,11 @@
       "description": "Kubernetes pod resources\nref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/\n\nFor example:\nresources:\n  limits:\n    cpu: 100m\n    memory: 128Mi\n  requests:\n    cpu: 100m\n    memory: 128Mi",
       "type": "object"
     },
+    "helm-values.seccompProfile": {
+      "default": {},
+      "description": "Kubernetes security context seccomp profile\nref: https://kubernetes.io/docs/tutorials/security/seccomp/\n\nFor example:\nseccompProfile:\n  type: RuntimeDefault",
+      "type": "object"
+    },
     "helm-values.service": {
       "additionalProperties": false,
       "properties": {
diff --git a/deploy/charts/istio-csr/values.yaml b/deploy/charts/istio-csr/values.yaml
index afc1ee37..b5a71dc1 100644
--- a/deploy/charts/istio-csr/values.yaml
+++ b/deploy/charts/istio-csr/values.yaml
@@ -243,6 +243,14 @@ volumeMounts: []
 #      memory: 128Mi
 resources: {}
 
+# Kubernetes security context seccomp profile
+# ref: https://kubernetes.io/docs/tutorials/security/seccomp/
+#
+# For example:
+#   seccompProfile:
+#     type: RuntimeDefault
+seccompProfile: {}
+
 # Expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
 #
 # For example:

From 266af590ea1039a00a979b279115cd0ea9aa457c Mon Sep 17 00:00:00 2001
From: William <wtzhang23@gmail.com>
Date: Fri, 2 Aug 2024 06:43:54 -0700
Subject: [PATCH 2/2] allow configuring entire security context

Signed-off-by: William <wtzhang23@gmail.com>
---
 deploy/charts/istio-csr/README.md             | 29 +++++-----
 .../istio-csr/templates/deployment.yaml       | 11 +---
 deploy/charts/istio-csr/values.schema.json    | 54 +++++++++++++++++--
 deploy/charts/istio-csr/values.yaml           | 16 +++---
 4 files changed, 77 insertions(+), 33 deletions(-)

diff --git a/deploy/charts/istio-csr/README.md b/deploy/charts/istio-csr/README.md
index 2a3ec32b..e14f7d0b 100644
--- a/deploy/charts/istio-csr/README.md
+++ b/deploy/charts/istio-csr/README.md
@@ -428,21 +428,26 @@ resources:
     cpu: 100m
     memory: 128Mi
 ```
-#### **seccompProfile** ~ `object`
+#### **securityContext.allowPrivilegeEscalation** ~ `bool`
 > Default value:
 > ```yaml
-> {}
+> false
+> ```
+#### **securityContext.readOnlyRootFilesystem** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+#### **securityContext.runAsNonRoot** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+#### **securityContext.capabilities.drop[0]** ~ `string`
+> Default value:
+> ```yaml
+> ALL
 > ```
-
-Kubernetes security context seccomp profile  
-ref: https://kubernetes.io/docs/tutorials/security/seccomp/  
-  
-For example:
-
-```yaml
-seccompProfile:
-  type: RuntimeDefault
-```
 #### **affinity** ~ `object`
 > Default value:
 > ```yaml
diff --git a/deploy/charts/istio-csr/templates/deployment.yaml b/deploy/charts/istio-csr/templates/deployment.yaml
index 9011b6af..f81df2dd 100644
--- a/deploy/charts/istio-csr/templates/deployment.yaml
+++ b/deploy/charts/istio-csr/templates/deployment.yaml
@@ -121,16 +121,7 @@ spec:
           {{- toYaml .Values.resources | nindent 12 }}
 
         securityContext:
-          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          capabilities:
-            drop:
-            - ALL
-          {{- if .Values.seccompProfile }}
-          seccompProfile:
-            {{ toYaml .Values.seccompProfile | indent 14 }}
-          {{- end }}
+          {{- toYaml .Values.securityContext | nindent 12 }}
 
       {{- if .Values.volumes }}
       volumes:
diff --git a/deploy/charts/istio-csr/values.schema.json b/deploy/charts/istio-csr/values.schema.json
index af0f1ce5..853b4b4e 100644
--- a/deploy/charts/istio-csr/values.schema.json
+++ b/deploy/charts/istio-csr/values.schema.json
@@ -33,8 +33,8 @@
         "resources": {
           "$ref": "#/$defs/helm-values.resources"
         },
-        "seccompProfile": {
-          "$ref": "#/$defs/helm-values.seccompProfile"
+        "securityContext": {
+          "$ref": "#/$defs/helm-values.securityContext"
         },
         "service": {
           "$ref": "#/$defs/helm-values.service"
@@ -586,11 +586,55 @@
       "description": "Kubernetes pod resources\nref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/\n\nFor example:\nresources:\n  limits:\n    cpu: 100m\n    memory: 128Mi\n  requests:\n    cpu: 100m\n    memory: 128Mi",
       "type": "object"
     },
-    "helm-values.seccompProfile": {
-      "default": {},
-      "description": "Kubernetes security context seccomp profile\nref: https://kubernetes.io/docs/tutorials/security/seccomp/\n\nFor example:\nseccompProfile:\n  type: RuntimeDefault",
+    "helm-values.securityContext": {
+      "additionalProperties": false,
+      "properties": {
+        "allowPrivilegeEscalation": {
+          "$ref": "#/$defs/helm-values.securityContext.allowPrivilegeEscalation"
+        },
+        "capabilities": {
+          "$ref": "#/$defs/helm-values.securityContext.capabilities"
+        },
+        "readOnlyRootFilesystem": {
+          "$ref": "#/$defs/helm-values.securityContext.readOnlyRootFilesystem"
+        },
+        "runAsNonRoot": {
+          "$ref": "#/$defs/helm-values.securityContext.runAsNonRoot"
+        }
+      },
       "type": "object"
     },
+    "helm-values.securityContext.allowPrivilegeEscalation": {
+      "default": false,
+      "type": "boolean"
+    },
+    "helm-values.securityContext.capabilities": {
+      "additionalProperties": false,
+      "properties": {
+        "drop": {
+          "$ref": "#/$defs/helm-values.securityContext.capabilities.drop"
+        }
+      },
+      "type": "object"
+    },
+    "helm-values.securityContext.capabilities.drop": {
+      "items": {
+        "$ref": "#/$defs/helm-values.securityContext.capabilities.drop[0]"
+      },
+      "type": "array"
+    },
+    "helm-values.securityContext.capabilities.drop[0]": {
+      "default": "ALL",
+      "type": "string"
+    },
+    "helm-values.securityContext.readOnlyRootFilesystem": {
+      "default": true,
+      "type": "boolean"
+    },
+    "helm-values.securityContext.runAsNonRoot": {
+      "default": true,
+      "type": "boolean"
+    },
     "helm-values.service": {
       "additionalProperties": false,
       "properties": {
diff --git a/deploy/charts/istio-csr/values.yaml b/deploy/charts/istio-csr/values.yaml
index b5a71dc1..042cb388 100644
--- a/deploy/charts/istio-csr/values.yaml
+++ b/deploy/charts/istio-csr/values.yaml
@@ -243,13 +243,17 @@ volumeMounts: []
 #      memory: 128Mi
 resources: {}
 
-# Kubernetes security context seccomp profile
-# ref: https://kubernetes.io/docs/tutorials/security/seccomp/
+# Kubernetes security context
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 #
-# For example:
-#   seccompProfile:
-#     type: RuntimeDefault
-seccompProfile: {}
+# See the default values for an example.
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  capabilities:
+    drop:
+    - ALL
 
 # Expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
 #