helm: Move some securityContext fields to container's securityContext

The `privileged` and `readOnlyRootFilesystem` fields are not valid in the pod's security context and can only be used in the container's security context. Trying to apply the generated resource would cause the error: ``` error validating data: [ValidationError(Deployment.spec.template.spec.securityContext): unknown field "privileged" in io.k8s.api.core.v1.PodSecurityContext, ValidationError(Deployment.spec.template.spec.securityContext): unknown field "readOnlyRootFilesystem" in io.k8s.api.core.v1.PodSecurityContext]; if you choose to ignore these errors, turn validation off with --validate=false ```
planetlabs · Aug 18, 2020 · 4d0cdaa · 4d0cdaa
1 parent f32fd0b
commit 4d0cdaa
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/helm/draino/templates/deployment.yaml b/helm/draino/templates/deployment.yaml
@@ -48,6 +48,10 @@ spec:
               port: 10002
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
       serviceAccountName: {{ if .Values.rbac.create }}{{ template "draino.fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }}
       {{- with .Values.securityContext }}
       securityContext:

diff --git a/helm/draino/values.yaml b/helm/draino/values.yaml
@@ -46,5 +46,7 @@ securityContext:
   runAsGroup: 101
   runAsNonRoot: true
   runAsUser: 100
+
+containerSecurityContext:
   privileged: false
   readOnlyRootFilesystem: true