Support pod.spec.containers.securityContext specification

This PR attempts to close trinodb#116 Following the valeriano-manassero's implementation, https://github.com/valeriano-manassero/helm-charts/blob/6382a14272927a908bc006d0f1370ba9dffc821f/valeriano-manassero/trino/values.yaml#L467-L471 let me Support `pod.spec.containers.securityContext` specification
LittleWat · Mar 12, 2024 · dd5e3ed · dd5e3ed
1 parent 6b68924
commit dd5e3ed
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 0 deletions.
diff --git a/charts/trino/README.md b/charts/trino/README.md
@@ -77,6 +77,7 @@ The following table lists the configurable parameters of the Trino chart and the
 | `coordinator.annotations` | | `{}` |
 | `coordinator.labels` | | `{}` |
 | `coordinator.secretMounts` | | `[]` |
+| `coordinator.containerSecurityContext` | | `{}` |
 | `worker.jvm.maxHeapSize` | | `"8G"` |
 | `worker.jvm.gcMethod.type` | | `"UseG1GC"` |
 | `worker.jvm.gcMethod.g1.heapRegionSize` | | `"32M"` |
@@ -96,6 +97,7 @@ The following table lists the configurable parameters of the Trino chart and the
 | `worker.annotations` | | `{}` |
 | `worker.labels` | | `{}` |
 | `worker.secretMounts` | | `[]` |
+| `worker.containerSecurityContext` | | `{}` |
 | `kafka.mountPath` | | `"/etc/trino/schemas"` |
 | `kafka.tableDescriptions` | | `{}` |
 | `commonLabels` | Labels that get applied to every resource's metadata | `{}` |

diff --git a/charts/trino/templates/deployment-coordinator.yaml b/charts/trino/templates/deployment-coordinator.yaml
@@ -102,6 +102,8 @@ spec:
  - name: {{ .Chart.Name }}-coordinator
  image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
  imagePullPolicy: {{ .Values.image.pullPolicy }}
+ securityContext:
+ {{- toYaml .Values.containerSecurityContext | nindent 12 }}
  env:
  {{- toYaml .Values.env | nindent 12 }}
  envFrom:

diff --git a/charts/trino/templates/deployment-worker.yaml b/charts/trino/templates/deployment-worker.yaml
@@ -80,6 +80,8 @@ spec:
  - name: {{ .Chart.Name }}-worker
  image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
  imagePullPolicy: {{ .Values.image.pullPolicy }}
+ securityContext:
+ {{- toYaml .Values.containerSecurityContext | nindent 12 }}
  env:
  {{- toYaml .Values.env | nindent 12 }}
  envFrom:

diff --git a/charts/trino/values.yaml b/charts/trino/values.yaml
@@ -218,6 +218,13 @@ securityContext:
  runAsUser: 1000
  runAsGroup: 1000
 
+# -- SecurityContext configuration for containers
+containerSecurityContext:
+ allowPrivilegeEscalation: false # Controls whether a process can gain more privileges than its parent process. 
+ capabilities: 
+ drop: # Kernel capabilities that will be dropped from a pod
+ - ALL 
+
 shareProcessNamespace:
  coordinator: false
  worker: false