-
Notifications
You must be signed in to change notification settings - Fork 562
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add spec.template.spec.securityContext #1109
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: ChristianBieri1995 <122007149+ChristianBieri1995@users.noreply.github.com>
@@ -21,6 +21,9 @@ spec: | |||
app.kubernetes.io/name: {{ include "k8sgpt.name" . }} | |||
app.kubernetes.io/instance: {{ .Release.Name }} | |||
spec: | |||
securityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's better to allow users to customize the securityContext option instead of hardcoding it like this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, initially thought about this one as well. Shall I change it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes. make it controllerable by values
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Did it this way as it is max. flexible (if for example fsGroup should be added in the future, only changing values.yaml is enough). Hope that's fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about making this configurable in the values.yaml?
Signed-off-by: ChristianBieri1995 <122007149+ChristianBieri1995@users.noreply.github.com>
Signed-off-by: ChristianBieri1995 <122007149+ChristianBieri1995@users.noreply.github.com>
Done, see above. |
Any news on that? Ready to merge? |
charts/k8sgpt/values.yaml
Outdated
@@ -14,7 +14,9 @@ deployment: | |||
requests: | |||
cpu: "0.2" | |||
memory: "156Mi" | |||
|
|||
securityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems better not to have a default value for securityContext.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have changed to values.yaml file accordingly. No, there is a possibility to set the securityContext but it's not mandatory. Any thoughts on that?
Signed-off-by: ChristianBieri1995 <122007149+ChristianBieri1995@users.noreply.github.com>
@k8sgpt-ai/k8sgpt-maintainers |
📑 Description
Adding spec.template.spec.securityContext in order to solve issues when working with Policy Management Tools such as Open Policy Agent and Gatekeeper (as in my case psp-pods-allowed-user-ranges). User and group were taken from https://github.com/k8sgpt-ai/k8sgpt/blob/main/container/Dockerfile#L37. One could also think about adding runAsNonRoot: true and fsGroup: 65532.
✅ Checks
ℹ Additional Information
Even though being more dynamic, other prominent project such as Grafana handle the securityContext in a similar way, see https://github.com/grafana/helm-charts/blob/main/charts/grafana/values.yaml#L142-L146 & https://github.com/grafana/grafana/blob/main/Dockerfile#L106 & https://github.com/grafana/helm-charts/blob/main/charts/grafana/templates/_pod.tpl#L9-L12