Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Support configuring pod and container security context #32

Merged
merged 1 commit into from
Jun 26, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/bindplane/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: bindplane
description: BindPlane OP is an open source observability pipeline.
type: application
# The chart's version
version: 0.0.32
version: 0.0.33
# The BindPlane OP tagged release. If the user does not
# set the `image.tag` values option, this version is used.
appVersion: 1.17.1
Expand Down
14 changes: 6 additions & 8 deletions charts/bindplane/templates/bindplane.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,10 @@ spec:
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
serviceAccountName: {{ include "bindplane.fullname" . }}
{{- with .Values.podSecurityContext }}
securityContext:
fsGroup: 65534
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: server
image: {{ include "bindplane.image" . }}:{{ include "bindplane.tag" . }}
Expand Down Expand Up @@ -350,14 +352,10 @@ spec:
httpGet:
path: /health
port: http
{{- with .Values.containerSecurityContext }}
securityContext:
runAsNonRoot: true
runAsUser: 65534
# Persistent data is written to a volume, the bindplane process should
# never need to write to the container filesystem.
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
{{- if eq .Values.backend.type "bbolt" }}
- mountPath: /data
Expand Down
18 changes: 18 additions & 0 deletions charts/bindplane/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -211,3 +211,21 @@ email:
sendgrid:
# -- The sendgrid API token to use when authenticating to Sendgrid.
token: ""

# -- The Pod spec's securityContext: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod.
podSecurityContext:
# This field supports all pod securityContext options.
# BindPlane uses the following container securityContext by default:
fsGroup: 65534

# -- The Container's securityContext: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container.
containerSecurityContext:
# This field supports all container securityContext options.
# BindPlane uses the following container securityContext by default:
runAsNonRoot: true
runAsUser: 65534
# Persistent data is written to a volume, the bindplane process should
# never need to write to the container filesystem.
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]