feat(chart): expose podSecurityContext and securityContext values#1258
Open
vishwakt wants to merge 1 commit into
Open
feat(chart): expose podSecurityContext and securityContext values#1258vishwakt wants to merge 1 commit into
vishwakt wants to merge 1 commit into
Conversation
Add `podSecurityContext` (pod-level) and `securityContext` (container-level) values and wire them into both the Deployment and DaemonSet templates. Secure defaults are provided so the controller no longer runs as root with a writable root filesystem out of the box, satisfying the Pod Security "restricted" profile and lint gates such as kube-linter's `run-as-non-root` and `no-read-only-root-fs`: - podSecurityContext: runAsNonRoot, runAsUser 65532, RuntimeDefault seccomp - securityContext: readOnlyRootFilesystem, no privilege escalation, drop ALL The runtime does not write to its root filesystem, so readOnlyRootFilesystem is safe. Both blocks are `with`-guarded so operators can relax them by overriding the values. Closes hetznercloud#1253 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Closes #1253.
Adds
podSecurityContext(pod-level) andsecurityContext(container-level) values to the Helm chart and wires them into both the Deployment and DaemonSet templates (chart/templates/deployment.yaml,chart/templates/daemonset.yaml).Secure defaults are shipped, as proposed in the issue, so the controller no longer runs as root with a writable root filesystem out of the box:
Why
This satisfies the Pod Security
restrictedprofile and common lint gates (kube-linterrun-as-non-root/no-read-only-root-fs), removing the need for repo-wide lint waivers or post-render kustomize patches on hardened clusters.Notes
readOnlyRootFilesystem: trueis safe: the runtime controller does not write to its root filesystem (the only filesystem writes in the repo are intools/andinternal/testsupport/, neither of which is in the runtime path). No writableemptyDiris needed.USERin the Dockerfile), sorunAsNonRootis correctly paired with an explicitrunAsUser: 65532.{{- with }}-guarded, so operators can relax or disable them by overriding the values (e.g. set to{}).chart/.snapshots/*.yaml) and deploy manifests (deploy/ccm.yaml,deploy/ccm-networks.yaml);helm lintpasses.🤖 Generated with Claude Code