diff --git a/charts/capsule/Chart.yaml b/charts/capsule/Chart.yaml index a73dea5f..f3adde84 100644 --- a/charts/capsule/Chart.yaml +++ b/charts/capsule/Chart.yaml @@ -21,7 +21,7 @@ sources: # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 0.3.2 +version: 0.3.3 # This is the version number of the application being deployed. # This version number should be incremented each time you make changes to the application. diff --git a/charts/capsule/README.md b/charts/capsule/README.md index a84dfaff..43b7f5e6 100644 --- a/charts/capsule/README.md +++ b/charts/capsule/README.md @@ -72,9 +72,11 @@ Here the values you can override: | mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks | | nodeSelector | object | `{}` | Set the node selector for the Capsule pod | | podAnnotations | object | `{}` | Annotations to add to the capsule pod. | +| podSecurityContext | object | `{"runAsGroup":1002,"runAsNonRoot":true,"runAsUser":1002,"seccompProfile":{"type":"RuntimeDefault"}}` | Set the securityContext for the Capsule pod | | podSecurityPolicy.enabled | bool | `false` | Specify if a Pod Security Policy must be created | | priorityClassName | string | `""` | Set the priority class name of the Capsule pod | | replicaCount | int | `1` | Set the replica count for capsule pod | +| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | Set the securityContext for the Capsule container | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. | | serviceAccount.name | string | `"capsule"` | The name of the service account to use. If not set and `serviceAccount.create=true`, a name is generated using the fullname template | diff --git a/charts/capsule/templates/daemonset.yaml b/charts/capsule/templates/daemonset.yaml index 293442b8..194381b7 100644 --- a/charts/capsule/templates/daemonset.yaml +++ b/charts/capsule/templates/daemonset.yaml @@ -29,6 +29,10 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ include "capsule.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} {{- if .Values.manager.hostNetwork }} hostNetwork: true dnsPolicy: ClusterFirstWithHostNet @@ -84,5 +88,5 @@ spec: resources: {{- toYaml .Values.manager.resources | nindent 12 }} securityContext: - allowPrivilegeEscalation: false + {{- toYaml .Values.securityContext | nindent 12 }} {{- end }} diff --git a/charts/capsule/templates/deployment.yaml b/charts/capsule/templates/deployment.yaml index c0a6ebfb..fa70d591 100644 --- a/charts/capsule/templates/deployment.yaml +++ b/charts/capsule/templates/deployment.yaml @@ -28,6 +28,10 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ include "capsule.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} {{- if .Values.manager.hostNetwork }} hostNetwork: true dnsPolicy: ClusterFirstWithHostNet @@ -83,5 +87,5 @@ spec: resources: {{- toYaml .Values.manager.resources | nindent 12 }} securityContext: - allowPrivilegeEscalation: false + {{- toYaml .Values.securityContext | nindent 12 }} {{- end }} diff --git a/charts/capsule/values.yaml b/charts/capsule/values.yaml index 0023f1f9..a8425cbb 100644 --- a/charts/capsule/values.yaml +++ b/charts/capsule/values.yaml @@ -77,6 +77,23 @@ podAnnotations: {} # -- Set the priority class name of the Capsule pod priorityClassName: '' # system-cluster-critical +# -- Set the securityContext for the Capsule pod +podSecurityContext: + seccompProfile: + type: "RuntimeDefault" + runAsGroup: 1002 + runAsNonRoot: true + runAsUser: 1002 + + +# -- Set the securityContext for the Capsule container +securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + # -- Set the node selector for the Capsule pod nodeSelector: {} # node-role.kubernetes.io/master: ""