Skip to content

fix(helm): add pod-level security context support to QueryDoc deployment#1313

Merged
EItanya merged 1 commit intokagent-dev:mainfrom
opspawn:fix/1184-querydoc-pod-security-context
Feb 16, 2026
Merged

fix(helm): add pod-level security context support to QueryDoc deployment#1313
EItanya merged 1 commit intokagent-dev:mainfrom
opspawn:fix/1184-querydoc-pod-security-context

Conversation

@opspawn
Copy link
Contributor

@opspawn opspawn commented Feb 15, 2026

Summary

Fixes #1184 — QueryDoc helm template now supports pod-level security contexts via the podSecurityContext value.

Problem

Users running PSA (Pod Security Admission) in restricted mode need to set pod-level security contexts (e.g., runAsNonRoot, fsGroup, seccompProfile). The QueryDoc deployment template only supported container-level securityContext but not pod-level securityContext.

Changes

  • values.yaml: Added podSecurityContext: {} default value
  • deployment.yaml: Added conditional pod-level securityContext block under spec.template.spec
  • deployment_test.yaml: Added two test cases (default empty + custom values)

Usage

podSecurityContext:
  runAsNonRoot: true
  fsGroup: 1000
  seccompProfile:
    type: RuntimeDefault

This follows the same pattern used in the main kagent controller and UI deployments.

Signed-off-by: opspawn agent@opspawn.com

Copilot AI review requested due to automatic review settings February 15, 2026 18:06
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds pod-level security context support to the QueryDoc Helm chart to help users comply with Kubernetes Pod Security Admission (restricted) requirements.

Changes:

  • Add podSecurityContext: {} to the QueryDoc chart default values.
  • Render spec.template.spec.securityContext from .Values.podSecurityContext when provided.
  • Add helm-unittest coverage for default behavior (absent) and custom pod security context values.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
helm/tools/querydoc/values.yaml Introduces podSecurityContext value to configure pod-level security context.
helm/tools/querydoc/templates/deployment.yaml Conditionally renders pod securityContext from podSecurityContext.
helm/tools/querydoc/tests/deployment_test.yaml Adds tests ensuring pod security context is omitted by default and set when configured.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Fixes kagent-dev#1184 — QueryDoc helm template now supports pod-level security
contexts via the `podSecurityContext` value, enabling PSA restricted
compliance. Container-level `securityContext` was already supported but
pod-level was missing.

Signed-off-by: opspawn <sean@opspawn.com>
@opspawn opspawn force-pushed the fix/1184-querydoc-pod-security-context branch from 900b682 to 597854a Compare February 16, 2026 02:33
@EItanya EItanya merged commit 935d1ae into kagent-dev:main Feb 16, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[FEATURE] QueryDoc helm template should support pod level security contexts

3 participants