[trino] Supporting more variables for securityContext for pod and container level.

[hafizmujadidKhalid]

Is your feature request related to a problem ?

Hey folks!

I am trying to deploy Trino using your provided helm chart but since our EKS cluster has some validations set it fails to deploy. The failing validations are like running with non_root_user and dropping all capabilities etc.

Describe the solution you'd like.

To fix it, I have to add following security context for container:

securityContext:
     allowPrivilegeEscalation: false
     capabilities:
         drop:
            - ALL
     runAsUser: 1000

and following for the pod:

     securityContext:
          runAsNonRoot: true
          seccompProfile:
              type: RuntimeDefault

I want to support general securityContext settings inside values.yaml file and they should be reflected in relevant deployments. I would have created a PR but due to my limited knowledge of helm templating, I could not produce well-indented yaml.

Describe alternatives you've considered.

None, Our security team have these security & validation check in place and they are not willing to relax. I have to deploy rending template and modifying actual yaml files.

Additional context.

No response

[valeriano-manassero]

Can you pls test related chart in PR?

I'd like to understand if these defaults are ok for your use case.

[hafizmujadidKhalid]

Hey @valeriano-manassero !

Thanks for the quick solution, I think the number of errors is reduced now and the validations are failing only on init containers:

disallow-capabilities-strict:
  autogen-require-drop-all: 'validation failure: Containers must drop `ALL` capabilities.'
disallow-privilege-escalation:
  autogen-privilege-escalation: 'validation error: Privilege escalation is disallowed.
    The fields spec.containers[*].securityContext.allowPrivilegeEscalation, spec.initContainers[*].securityContext.allowPrivilegeEscalation,
    and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation must
    be set to `false`. rule autogen-privilege-escalation failed at path /spec/template/spec/containers/0/securityContext/'
validate-seccomp-location:

[github-actions]

This issue is stale because it has been open for 14 days with no activity.

[valeriano-manassero]

@hafizmujadidKhalid securitiContext should be set for all init containers afaik; can you pls list what are init containers with this problem and their generated yaml manifest?

[hafizmujadidKhalid]

@valeriano-manassero!
I think containerSecurityContext is missing in Coordinator container:

helm-charts/valeriano-manassero/trino/templates/deployment-coordinator.yaml

Line 186 in 425c0d1

containers: