Merge pull request #477 from wunderio/feat/securityContext

feat(frontend): add security context support

Author: Rade333

frontend/templates/services-cron.yaml

@@ -31,6 +31,10 @@ spec:
           containers:
           - name: {{ $jobName }}-cron
             image: {{ $service.image | quote }}
+            {{- if $service.securityContext }}
+            securityContext:
+              {{- toYaml $service.securityContext | nindent 14 }}
+            {{- end }}
             volumeMounts:
               {{- if $service.mounts }}
               {{- range $index, $mountName := $service.mounts -}}

frontend/templates/services-deployment.yaml

@@ -33,6 +33,10 @@ spec:
       containers:
       - name: {{ $index }}
         image: {{ $service.image | quote }}
+        {{- if $service.securityContext }}
+        securityContext:
+          {{- toYaml $service.securityContext | nindent 10 }}
+        {{- end }}
         ports:
         - containerPort: {{ default $.Values.serviceDefaults.port $service.port }}
           name: {{ $index }}

frontend/values.schema.json

@@ -8,7 +8,7 @@
     "branchName": { "type": "string" },
     "imagePullSecrets": { "type": "array" },
     "imagePullSecret": { "type": "string" },
-    "serviceAccount": { 
+    "serviceAccount": {
       "type": "object",
       "additionalProperties": false,
       "properties": {
@@ -320,6 +320,64 @@
           "nodeSelector": {
             "type": "object",
             "additionalProperties": { "type": "string" }
+          },
+          "securityContext": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+              "allowPrivilegeEscalation": { "type": "boolean" },
+              "readOnlyRootFilesystem": { "type": "boolean" },
+              "runAsNonRoot": { "type": "boolean" },
+              "runAsUser": { "type": "integer" },
+              "runAsGroup": { "type": "integer" },
+              "fsGroup": { "type": "integer" },
+              "privileged": { "type": "boolean" },
+              "procMount": { "type": "string" },
+              "capabilities": {
+                "type": "object",
+                "additionalProperties": false,
+                "properties": {
+                  "add": {
+                    "type": "array",
+                    "items": { "type": "string" }
+                  },
+                  "drop": {
+                    "type": "array",
+                    "items": { "type": "string" }
+                  }
+                }
+              },
+              "seccompProfile": {
+                "type": "object",
+                "additionalProperties": false,
+                "properties": {
+                  "type": { "type": "string" },
+                  "localhostProfile": { "type": "string" }
+                }
+              },
+              "seLinuxOptions": {
+                "type": "object",
+                "additionalProperties": false,
+                "properties": {
+                  "level": { "type": "string" },
+                  "role": { "type": "string" },
+                  "type": { "type": "string" },
+                  "user": { "type": "string" }
+                }
+              },
+              "sysctls": {
+                "type": "array",
+                "items": {
+                  "type": "object",
+                  "additionalProperties": false,
+                  "properties": {
+                    "name": { "type": "string" },
+                    "value": { "type": "string" }
+                  },
+                  "required": ["name", "value"]
+                }
+              }
+            }
           }
         }
       }

frontend/values.yaml

@@ -23,7 +23,7 @@ environmentName: ""
 # See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
 imagePullSecrets: []
 
-# Custom imagePullSecret for the containers. Base64 encoded. This will create a secret and append it to the imagePullSecrets. 
+# Custom imagePullSecret for the containers. Base64 encoded. This will create a secret and append it to the imagePullSecrets.
 imagePullSecret: ""
 
 serviceAccount:
@@ -227,6 +227,9 @@ services: {}
   #   # Use storage mountpoints (defined in the mounts section) for this service.
   #   mounts:
   #     - files
+  #
+  #   # Security context settings for this service
+  #   securityContext: { }
 
   #   # Enable autoscaling using HorizontalPodAutoscaler
   #   # see: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/