From bffbb5ca340a8e933fda2098c3ca60df909250de Mon Sep 17 00:00:00 2001 From: Kohei Watanabe Date: Wed, 20 Dec 2023 14:13:33 +0900 Subject: [PATCH] Support `pod.spec.containers.securityContext` specification This PR attempts to close #116 Following the valeriano-manassero's implementation, https://github.com/valeriano-manassero/helm-charts/blob/6382a14272927a908bc006d0f1370ba9dffc821f/valeriano-manassero/trino/values.yaml#L467-L471 let me Support `pod.spec.containers.securityContext` specification --- charts/trino/README.md | 2 ++ charts/trino/templates/deployment-coordinator.yaml | 2 ++ charts/trino/templates/deployment-worker.yaml | 2 ++ charts/trino/values.yaml | 7 +++++++ 4 files changed, 13 insertions(+) diff --git a/charts/trino/README.md b/charts/trino/README.md index 57019345..d5379aa2 100644 --- a/charts/trino/README.md +++ b/charts/trino/README.md @@ -49,6 +49,8 @@ The following table lists the configurable parameters of the Trino chart and the | `sidecarContainers` | | `{}` | | `securityContext.runAsUser` | | `1000` | | `securityContext.runAsGroup` | | `1000` | +| `containerSecurityContext.allowPrivilegeEscalation` | Controls whether a process can gain more privileges than its parent process. | `false` | +| `containerSecurityContext.capabilities.drop` | List of Linux kernel capabilities that are dropped from every container. You can confirm the options for "capabilities" here: https://man7.org/linux/man-pages/man7/capabilities.7.html Please make sure to remove "CAP_" prefix which the kernel attaches to the names of permissions. | `["ALL"]` | | `shareProcessNamespace.coordinator` | | `false` | | `shareProcessNamespace.worker` | | `false` | | `service.type` | | `"ClusterIP"` | diff --git a/charts/trino/templates/deployment-coordinator.yaml b/charts/trino/templates/deployment-coordinator.yaml index 0dec6dd9..331b87ff 100644 --- a/charts/trino/templates/deployment-coordinator.yaml +++ b/charts/trino/templates/deployment-coordinator.yaml @@ -102,6 +102,8 @@ spec: - name: {{ .Chart.Name }}-coordinator image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 12 }} env: {{- toYaml .Values.env | nindent 12 }} envFrom: diff --git a/charts/trino/templates/deployment-worker.yaml b/charts/trino/templates/deployment-worker.yaml index 246b64e1..fd61fe1a 100644 --- a/charts/trino/templates/deployment-worker.yaml +++ b/charts/trino/templates/deployment-worker.yaml @@ -80,6 +80,8 @@ spec: - name: {{ .Chart.Name }}-worker image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 12 }} env: {{- toYaml .Values.env | nindent 12 }} envFrom: diff --git a/charts/trino/values.yaml b/charts/trino/values.yaml index c422d495..dda14138 100644 --- a/charts/trino/values.yaml +++ b/charts/trino/values.yaml @@ -218,6 +218,13 @@ securityContext: runAsUser: 1000 runAsGroup: 1000 +# -- SecurityContext configuration for containers +containerSecurityContext: + allowPrivilegeEscalation: false # Controls whether a process can gain more privileges than its parent process. + capabilities: + drop: # List of Linux kernel capabilities that are dropped from every container. You can confirm the options for "capabilities" here: https://man7.org/linux/man-pages/man7/capabilities.7.html Please make sure to remove "CAP_" prefix which the kernel attaches to the names of permissions. + - ALL + shareProcessNamespace: coordinator: false worker: false