apache · potiuk · Sep 13, 2023 · Sep 13, 2023
@@ -26,6 +26,7 @@
 {{- $tolerations := or .Values.cleanup.tolerations .Values.tolerations }}
 {{- $topologySpreadConstraints := or .Values.cleanup.topologySpreadConstraints .Values.topologySpreadConstraints }}
 {{- $securityContext := include "airflowPodSecurityContext" (list . .Values.cleanup) }}
+{{- $containerSecurityContext := include "containerSecurityContext" (list . .Values.cleanup) }}
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@@ -91,6 +92,7 @@ spec:
             - name: airflow-cleanup-pods
               image: {{ template "airflow_image" . }}
               imagePullPolicy: {{ .Values.images.airflow.pullPolicy }}
+              securityContext: {{ or $containerSecurityContext .Values.cleanup.securityContexts.container .Values.securityContexts.containers | nindent 16 }}
               {{- if .Values.cleanup.command }}
               command: {{ tpl (toYaml .Values.cleanup.command) . | nindent 16 }}
               {{- end }}

@@ -2223,6 +2223,7 @@ cleanup:
 
   # Detailed default security context for cleanup for container level
   securityContexts:
+    pod: {}
     container: {}
 
   # container level lifecycle hooks

diff --git a/helm_tests/security/test_security_context.py b/helm_tests/security/test_security_context.py
@@ -223,9 +223,12 @@ def test_global_security_context(self):
         docs = render_chart(
             values={
                 "securityContexts": {"containers": ctx_value_container, "pod": ctx_value_pod},
+                "cleanup": {"enabled": True},
+                "flower": {"enabled": True},
                 "pgbouncer": {"enabled": True},
             },
             show_only=[
+                "templates/cleanup/cleanup-cronjob.yaml",
                 "templates/flower/flower-deployment.yaml",
                 "templates/scheduler/scheduler-deployment.yaml",
                 "templates/webserver/webserver-deployment.yaml",
@@ -238,7 +241,15 @@ def test_global_security_context(self):
                 "templates/redis/redis-statefulset.yaml",
             ],
         )
-        for doc in docs[:-3]:
+
+        assert ctx_value_container == jmespath.search(
+            "spec.jobTemplate.spec.template.spec.containers[0].securityContext", docs[0]
+        )
+        assert ctx_value_pod == jmespath.search(
+            "spec.jobTemplate.spec.template.spec.securityContext", docs[0]
+        )
+
+        for doc in docs[1:-3]:
             assert ctx_value_container == jmespath.search(
                 "spec.template.spec.containers[0].securityContext", doc
             )
@@ -269,18 +280,20 @@ def test_main_container_setting(self):
         security_context = {"securityContexts": {"container": ctx_value}}
         docs = render_chart(
             values={
+                "cleanup": {"enabled": True, **security_context},
                 "scheduler": {**security_context},
                 "webserver": {**security_context},
                 "workers": {**security_context},
-                "flower": {**security_context},
+                "flower": {"enabled": True, **security_context},
                 "statsd": {**security_context},
                 "createUserJob": {**security_context},
                 "migrateDatabaseJob": {**security_context},
                 "triggerer": {**security_context},
-                "pgbouncer": {**security_context},
+                "pgbouncer": {"enabled": True, **security_context},
                 "redis": {**security_context},
             },
             show_only=[
+                "templates/cleanup/cleanup-cronjob.yaml",
                 "templates/flower/flower-deployment.yaml",
                 "templates/scheduler/scheduler-deployment.yaml",
                 "templates/webserver/webserver-deployment.yaml",
@@ -294,7 +307,11 @@ def test_main_container_setting(self):
             ],
         )
 
-        for doc in docs:
+        assert ctx_value == jmespath.search(
+            "spec.jobTemplate.spec.template.spec.containers[0].securityContext", docs[0]
+        )
+
+        for doc in docs[1:]:
             assert ctx_value == jmespath.search("spec.template.spec.containers[0].securityContext", doc)
 
     # Test securityContexts for log-groomer-sidecar main container
@@ -395,18 +412,20 @@ def test_main_pod_setting(self):
         security_context = {"securityContexts": {"pod": ctx_value}}
         docs = render_chart(
             values={
+                "cleanup": {"enabled": True, **security_context},
                 "scheduler": {**security_context},
                 "webserver": {**security_context},
                 "workers": {**security_context},
-                "flower": {**security_context},
+                "flower": {"enabled": True, **security_context},
                 "statsd": {**security_context},
                 "createUserJob": {**security_context},
                 "migrateDatabaseJob": {**security_context},
                 "triggerer": {**security_context},
-                "pgbouncer": {**security_context},
+                "pgbouncer": {"enabled": True, **security_context},
                 "redis": {**security_context},
             },
             show_only=[
+                "templates/cleanup/cleanup-cronjob.yaml",
                 "templates/flower/flower-deployment.yaml",
                 "templates/scheduler/scheduler-deployment.yaml",
                 "templates/webserver/webserver-deployment.yaml",
@@ -420,7 +439,9 @@ def test_main_pod_setting(self):
             ],
         )
 
-        for doc in docs:
+        assert ctx_value == jmespath.search("spec.jobTemplate.spec.template.spec.securityContext", docs[0])
+
+        for doc in docs[1:]:
             assert ctx_value == jmespath.search("spec.template.spec.securityContext", doc)
 
     # Test securityContexts for main pods
@@ -429,17 +450,19 @@ def test_main_pod_setting_legacy_security(self):
         security_context = {"securityContext": ctx_value}
         docs = render_chart(
             values={
+                "cleanup": {"enabled": True, **security_context},
                 "scheduler": {**security_context},
                 "webserver": {**security_context},
                 "workers": {**security_context},
-                "flower": {**security_context},
+                "flower": {"enabled": True, **security_context},
                 "statsd": {**security_context},
                 "createUserJob": {**security_context},
                 "migrateDatabaseJob": {**security_context},
                 "triggerer": {**security_context},
                 "redis": {**security_context},
             },
             show_only=[
+                "templates/cleanup/cleanup-cronjob.yaml",
                 "templates/flower/flower-deployment.yaml",
                 "templates/scheduler/scheduler-deployment.yaml",
                 "templates/webserver/webserver-deployment.yaml",
@@ -452,5 +475,7 @@ def test_main_pod_setting_legacy_security(self):
             ],
         )
 
-        for doc in docs:
+        assert ctx_value == jmespath.search("spec.jobTemplate.spec.template.spec.securityContext", docs[0])
+
+        for doc in docs[1:]:
             assert ctx_value == jmespath.search("spec.template.spec.securityContext", doc)