diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e14e2f57..5bb89bf48 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ * add new helper method `add_fields_to` to directly add multiple fields to one event * refactored some processors to make use of the new helper methods * add `pre-commit` hooks to the repository, install new dev dependency and run `pre-commit install` in the root dir +* the default `securityContext`for the pod is now configurable ### Bugfix diff --git a/charts/logprep/Chart.yaml b/charts/logprep/Chart.yaml index 1fcd593ea..4a82df2fe 100644 --- a/charts/logprep/Chart.yaml +++ b/charts/logprep/Chart.yaml @@ -6,7 +6,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "14.0.0" +version: "14.0.1" # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/logprep/templates/deployment.yaml b/charts/logprep/templates/deployment.yaml index 486fb0b1a..f5be0bf5d 100644 --- a/charts/logprep/templates/deployment.yaml +++ b/charts/logprep/templates/deployment.yaml @@ -20,17 +20,18 @@ spec: annotations: {{ toYaml .Values.podAnnotations| nindent 8 }} spec: - securityContext: - fsGroup: {{ .Values.securityContext.runAsUser }} - runAsUser: {{ .Values.securityContext.runAsUser }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} imagePullSecrets: {{- if .Values.secrets.imagePullSecret }} - name: {{ .Values.secrets.imagePullSecret.name }} {{- end }} containers: - name: logprep - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }} diff --git a/charts/logprep/values.yaml b/charts/logprep/values.yaml index 11a658444..8f7bd3b0c 100644 --- a/charts/logprep/values.yaml +++ b/charts/logprep/values.yaml @@ -18,14 +18,20 @@ resources: memory: "2Gi" cpu: "250m" -# The default security context for the pod -securityContext: - capabilities: - drop: - - ALL - runAsNonRoot: true +# if enabled: the default security context for the pod +podSecurityContext: + enabled: true + fsGroup: 1000 runAsUser: 1000 + +# if enabled: the default security context for the container +containerSecurityContext: + enabled: true + runAsNonRoot: true readOnlyRootFilesystem: true + capabilities: + drop: + - ALL # the image pull secret to use for the deployment # to mount extra secrets into the pod, use the extraVolumes and extraMounts fields diff --git a/tests/unit/charts/test_deployment.py b/tests/unit/charts/test_deployment.py index e004fff25..f9a4a9810 100644 --- a/tests/unit/charts/test_deployment.py +++ b/tests/unit/charts/test_deployment.py @@ -80,11 +80,24 @@ def test_security_context(self): assert security_context["runAsUser"] == 1000 assert security_context["fsGroup"] == 1000 security_context = self.deployment["spec.template.spec.containers.0.securityContext"] - assert security_context["runAsUser"] == 1000 assert security_context["capabilities"]["drop"] == ["ALL"] assert security_context["readOnlyRootFilesystem"] is True assert security_context["runAsNonRoot"] is True + def test_add_security_context(self): + self.manifests = self.render_chart( + "logprep", + { + "containerSecurityContext": {"allowPriviledgeEscalation": "false"}, + "podSecurityContext": {"supplementalGroups": [4000]}, + }, + ) + assert self.deployment["spec.template.spec.securityContext"] + security_context = self.deployment["spec.template.spec.securityContext"] + assert security_context["supplementalGroups"] == [4000] + security_context = self.deployment["spec.template.spec.containers.0.securityContext"] + assert security_context["allowPriviledgeEscalation"] == "false" + def test_resources(self): assert self.deployment["spec.template.spec.containers.0.resources"] resources = self.deployment["spec.template.spec.containers.0.resources"]