feat: Provide parameters per container for resources & security context

keda/README.md

@@ -84,7 +84,7 @@ their default values.
 | `logging.operator.format`                                  | Logging format for KEDA Operator. Allowed values are 'console' & 'json'. | `console`                                        |
 | `logging.operator.timeFormat`                              | Logging time format for KEDA Operator. Allowed values are 'epoch', 'millis', 'nano', or 'iso8601'. | `epoch` |
 | `logging.metricServer.level`                               | Logging level for Metrics Server.Policy to use to pull Docker images. Allowed values are '0' for info, '4' for debug, or an integer value greater than 0, specified as string | `0` |
-| `securityContext`                                          | Security context of the pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `{}` |
+| `securityContext`                                          | Security context of the containers within pod. ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | `{}` |
 | `podSecurityContext`                                       | Pod security context of the pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `{}` |
 | `resources`                                                | Manage resource request & limits of KEDA workload ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `{}` |
 | `nodeSelector`                                             | Node selector for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/)) | `{}` |

keda/templates/12-keda-deployment.yaml

@@ -40,11 +40,19 @@ spec:
       {{- end }}
       serviceAccountName: {{ .Values.serviceAccount.name }}
       securityContext:
+        {{- if .Values.podSecurityContext.operator }}
+        {{- toYaml .Values.podSecurityContext.operator | nindent 8 }}
+        {{- else }}
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- end }}
       containers:
         - name: {{ .Values.operator.name }}
           securityContext:
+            {{- if .Values.securityContext.operator }}
+            {{- toYaml .Values.securityContext.operator | nindent 12 }}
+            {{- else }}
             {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- end }}
           image: "{{ .Values.image.keda.repository }}:{{ .Values.image.keda.tag | default .Chart.AppVersion }}"
           command:
           - "/keda"
@@ -96,7 +104,11 @@ spec:
           {{- toYaml .Values.volumes.keda.extraVolumeMounts | nindent 12 }}
           {{- end }}
           resources:
+            {{- if .Values.resources.operator }}
+            {{- toYaml .Values.resources.operator | nindent 12 }}
+            {{- else }}
             {{- toYaml .Values.resources | nindent 12 }}
+            {{- end }}
       volumes:
       {{- if .Values.grpcTLSCertsSecret }}
       - name: grpc-certs

keda/templates/22-metrics-deployment.yaml

@@ -43,11 +43,19 @@ spec:
       {{- end }}
       serviceAccountName: {{ .Values.serviceAccount.name }}
       securityContext:
+        {{- if .Values.podSecurityContext.metricServer }}
+        {{- toYaml .Values.podSecurityContext.metricServer | nindent 8 }}
+        {{- else }}
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- end }}
       containers:
         - name: {{ .Values.operator.name }}-metrics-apiserver
           securityContext:
+            {{- if .Values.securityContext.metricServer }}
+            {{- toYaml .Values.securityContext.metricServer | nindent 12 }}
+            {{- else }}
             {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- end }}
           image: "{{ .Values.image.metricsApiServer.repository }}:{{ .Values.image.metricsApiServer.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           livenessProbe:
@@ -106,7 +114,11 @@ spec:
           {{- toYaml .Values.volumes.metricsApiServer.extraVolumeMounts | nindent 12 }}
           {{- end }}
           resources:
+            {{- if .Values.resources.metricServer }}
+            {{- toYaml .Values.resources.metricServer | nindent 12 }}
+            {{- else }}
             {{- toYaml .Values.resources | nindent 12 }}
+            {{- end }}
       volumes:
       {{- if .Values.grpcTLSCertsSecret }}
       - name: grpc-certs

keda/values.yaml

@@ -89,15 +89,21 @@ logging:
     level: 0
 
 podSecurityContext: {}
-  # fsGroup: 2000
+  # operator:
+  #   fsGroup: 2000
+  # metricServer:
+  #   fsGroup: 2000
 
 securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+  # operator:
+  #   allowPrivilegeEscalation: false
+  #   readOnlyRootFilesystem: true
+  #   runAsNonRoot: true
+  #   runAsUser: 1000
+  # metricServer:
+  #   allowPrivilegeEscalation: false
+  #   runAsNonRoot: true
+  #   runAsUser: 1000
 
 service:
   type: ClusterIP
@@ -113,13 +119,21 @@ service:
 # If you want to specify the resources (or totally remove the defaults), change or comment the following
 # lines, adjust them as necessary, or simply add the curly braces after 'operator' and/or 'metricServer'
 # and remove/comment the default values
-resources: 
-  limits:
-    cpu: 1
-    memory: 1000Mi
-  requests:
-    cpu: 100m
-    memory: 100Mi
+resources:
+  operator:
+    limits:
+      cpu: 1
+      memory: 1000Mi
+    requests:
+      cpu: 100m
+      memory: 100Mi
+  metricServer:
+    limits:
+      cpu: 1
+      memory: 1000Mi
+    requests:
+      cpu: 100m
+      memory: 100Mi
 
 nodeSelector: {}