Skip to content

Commit

Permalink
helm: add support to override securityContext
Browse files Browse the repository at this point in the history 
Signed-off-by: Dentrax <furkan.turkal@hotmail.com>
  • Loading branch information
@Dentrax
Dentrax committed Jan 20, 2025
1 parent 9fec323 commit 5ef0145
Show file tree
Hide file tree
Showing 6 changed files with 120 additions and 1 deletion.
24 changes: 24 additions & 0 deletions .local/debug-driver.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,14 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
- name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.3.0
imagePullPolicy: IfNotPresent
Expand All @@ -59,6 +67,14 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
volumes:
- name: mountpoint-dir
hostPath:
Expand Down Expand Up @@ -118,6 +134,14 @@ spec:
requests:
cpu: 250m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
volumes:
- name: driver-volume
persistentVolumeClaim:
Expand Down
24 changes: 24 additions & 0 deletions deploy/secrets-store-csi-driver-windows.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,14 @@ spec:
requests:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
- name: secrets-store
image: registry.k8s.io/csi-secrets-store/driver:v1.4.7
args:
Expand Down Expand Up @@ -84,6 +92,14 @@ spec:
mountPath: "C:\\var\\lib\\kubelet\\pods"
- name: providers-dir
mountPath: C:\k\secrets-store-csi-providers
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
- name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.13.1
imagePullPolicy: IfNotPresent
Expand All @@ -102,6 +118,14 @@ spec:
requests:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
volumes:
- name: mountpoint-dir
hostPath:
Expand Down
24 changes: 24 additions & 0 deletions deploy/secrets-store-csi-driver.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,14 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
- name: secrets-store
image: registry.k8s.io/csi-secrets-store/driver:v1.4.7
args:
Expand Down Expand Up @@ -90,6 +98,14 @@ spec:
requests:
cpu: 50m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
- name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.13.1
imagePullPolicy: IfNotPresent
Expand All @@ -108,6 +124,14 @@ spec:
requests:
cpu: 10m
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
volumes:
- name: mountpoint-dir
hostPath:
Expand Down
16 changes: 16 additions & 0 deletions ...t_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,10 @@ spec:
mountPath: C:\csi
- name: registration-dir
mountPath: C:\registration
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
{{- with .Values.windows.registrar.resources }}
resources:
{{ toYaml . | indent 12 }}
Expand Down Expand Up @@ -134,6 +138,10 @@ spec:
{{- if .Values.windows.volumeMounts }}
{{- toYaml .Values.windows.volumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
{{- with .Values.windows.driver.resources }}
resources:
{{ toYaml . | indent 12 }}
Expand All @@ -153,13 +161,21 @@ spec:
volumeMounts:
- name: plugin-dir
mountPath: C:\csi
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
{{- with .Values.windows.livenessProbe.resources }}
resources:
{{ toYaml . | indent 12 }}
{{- end }}
{{- if .Values.windows.priorityClassName }}
priorityClassName: {{ .Values.windows.priorityClassName | quote }}
{{- end }}
{{- if .Values.podSecurityContext }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- end }}
volumes:
- name: mountpoint-dir
hostPath:
Expand Down
16 changes: 16 additions & 0 deletions manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,10 @@ spec:
mountPath: /csi
- name: registration-dir
mountPath: /registration
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
{{- with .Values.linux.registrar.resources }}
resources:
{{ toYaml . | indent 12 }}
Expand Down Expand Up @@ -137,6 +141,10 @@ spec:
{{- if .Values.linux.volumeMounts }}
{{- toYaml .Values.linux.volumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
{{- with .Values.linux.driver.resources }}
resources:
{{ toYaml . | indent 12 }}
Expand All @@ -156,13 +164,21 @@ spec:
volumeMounts:
- name: plugin-dir
mountPath: /csi
{{- if .Values.securityContext }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
{{- end }}
{{- with .Values.linux.livenessProbe.resources }}
resources:
{{ toYaml . | indent 12 }}
{{- end }}
{{- if .Values.linux.priorityClassName }}
priorityClassName: {{ .Values.linux.priorityClassName | quote }}
{{- end }}
{{- if .Values.podSecurityContext }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- end }}
volumes:
- name: mountpoint-dir
hostPath:
Expand Down
17 changes: 16 additions & 1 deletion manifest_staging/charts/secrets-store-csi-driver/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@ linux:
tag: v1.4.7
pullPolicy: IfNotPresent
## Optionally override resource limits for crd hooks(jobs)
resources: {}
resources:
{}
# requests:
# cpu: "100m"
# memory: "128Mi"
Expand Down Expand Up @@ -242,3 +243,17 @@ tokenRequests: []
# -- Labels to apply to all resources
commonLabels: {}
# team_name: dev

securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000

# podSecurityContext -- [Security context for Pod](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
podSecurityContext:
# fsGroup: 1000

0 comments on commit 5ef0145

Please sign in to comment.