feat: add spec.template.spec.securityContext #1109
Conversation
Signed-off-by: ChristianBieri1995 <122007149+ChristianBieri1995@users.noreply.github.com>
| @@ -21,6 +21,9 @@ spec: | |||
| app.kubernetes.io/name: {{ include "k8sgpt.name" . }} | |||
| app.kubernetes.io/instance: {{ .Release.Name }} | |||
| spec: | |||
| securityContext: | |||
There was a problem hiding this comment.
I think it's better to allow users to customize the securityContext option instead of hardcoding it like this.
There was a problem hiding this comment.
Sure, initially thought about this one as well. Shall I change it?
There was a problem hiding this comment.
yes. make it controllerable by values
There was a problem hiding this comment.
Done. Did it this way as it is max. flexible (if for example fsGroup should be added in the future, only changing values.yaml is enough). Hope that's fine.
Signed-off-by: ChristianBieri1995 <122007149+ChristianBieri1995@users.noreply.github.com>
Signed-off-by: ChristianBieri1995 <122007149+ChristianBieri1995@users.noreply.github.com>
Done, see above. |
Any news on that? Ready to merge? |
charts/k8sgpt/values.yaml
Outdated
| @@ -14,7 +14,9 @@ deployment: | |||
| requests: | |||
| cpu: "0.2" | |||
| memory: "156Mi" | |||
|
|
|||
| securityContext: | |||
There was a problem hiding this comment.
It seems better not to have a default value for securityContext.
There was a problem hiding this comment.
I have changed to values.yaml file accordingly. No, there is a possibility to set the securityContext but it's not mandatory. Any thoughts on that?
Signed-off-by: ChristianBieri1995 <122007149+ChristianBieri1995@users.noreply.github.com>
|
@k8sgpt-ai/k8sgpt-maintainers |
📑 Description
Adding spec.template.spec.securityContext in order to solve issues when working with Policy Management Tools such as Open Policy Agent and Gatekeeper (as in my case psp-pods-allowed-user-ranges). User and group were taken from https://github.com/k8sgpt-ai/k8sgpt/blob/main/container/Dockerfile#L37. One could also think about adding runAsNonRoot: true and fsGroup: 65532.
✅ Checks
ℹ Additional Information
Even though being more dynamic, other prominent project such as Grafana handle the securityContext in a similar way, see https://github.com/grafana/helm-charts/blob/main/charts/grafana/values.yaml#L142-L146 & https://github.com/grafana/grafana/blob/main/Dockerfile#L106 & https://github.com/grafana/helm-charts/blob/main/charts/grafana/templates/_pod.tpl#L9-L12