From 4d80664334cc6395c6c617cb3cdd3c0af297ede7 Mon Sep 17 00:00:00 2001
From: djkhl <49399649+djkhl@users.noreply.github.com>
Date: Fri, 22 Nov 2024 16:05:13 +0100
Subject: [PATCH] make pod security contex configurable (#711)

* add podSecurityContext and containerSecurityContext
---
 CHANGELOG.md                             |  1 +
 charts/logprep/Chart.yaml                |  2 +-
 charts/logprep/templates/deployment.yaml | 11 ++++++-----
 charts/logprep/values.yaml               | 18 ++++++++++++------
 tests/unit/charts/test_deployment.py     | 15 ++++++++++++++-
 5 files changed, 34 insertions(+), 13 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7e14e2f57..5bb89bf48 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,7 @@
 * add new helper method `add_fields_to` to directly add multiple fields to one event
 * refactored some processors to make use of the new helper methods
 * add `pre-commit` hooks to the repository, install new dev dependency and run `pre-commit install` in the root dir
+* the default `securityContext`for the pod is now configurable
 
 ### Bugfix
 
diff --git a/charts/logprep/Chart.yaml b/charts/logprep/Chart.yaml
index 1fcd593ea..4a82df2fe 100644
--- a/charts/logprep/Chart.yaml
+++ b/charts/logprep/Chart.yaml
@@ -6,7 +6,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "14.0.0"
+version: "14.0.1"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/logprep/templates/deployment.yaml b/charts/logprep/templates/deployment.yaml
index 486fb0b1a..f5be0bf5d 100644
--- a/charts/logprep/templates/deployment.yaml
+++ b/charts/logprep/templates/deployment.yaml
@@ -20,17 +20,18 @@ spec:
       annotations:
         {{ toYaml .Values.podAnnotations| nindent 8 }}
     spec:
-      securityContext:
-        fsGroup: {{ .Values.securityContext.runAsUser }}
-        runAsUser: {{ .Values.securityContext.runAsUser }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit  .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       imagePullSecrets:
         {{- if .Values.secrets.imagePullSecret }}
         - name: {{ .Values.secrets.imagePullSecret.name }}
         {{- end }}
       containers:
         - name: logprep
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- if .Values.containerSecurityContext.enabled }}
+          securityContext: {{- omit  .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}
diff --git a/charts/logprep/values.yaml b/charts/logprep/values.yaml
index 11a658444..8f7bd3b0c 100644
--- a/charts/logprep/values.yaml
+++ b/charts/logprep/values.yaml
@@ -18,14 +18,20 @@ resources:
     memory: "2Gi"
     cpu: "250m"
 
-# The default security context for the pod
-securityContext:
-  capabilities:
-    drop:
-      - ALL
-  runAsNonRoot: true
+# if enabled: the default security context for the pod
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
   runAsUser: 1000
+
+# if enabled: the default security context for the container 
+containerSecurityContext:
+  enabled: true
+  runAsNonRoot: true
   readOnlyRootFilesystem: true
+  capabilities:
+      drop:
+        - ALL
 
 # the image pull secret to use for the deployment
 # to mount extra secrets into the pod, use the extraVolumes and extraMounts fields
diff --git a/tests/unit/charts/test_deployment.py b/tests/unit/charts/test_deployment.py
index e004fff25..f9a4a9810 100644
--- a/tests/unit/charts/test_deployment.py
+++ b/tests/unit/charts/test_deployment.py
@@ -80,11 +80,24 @@ def test_security_context(self):
         assert security_context["runAsUser"] == 1000
         assert security_context["fsGroup"] == 1000
         security_context = self.deployment["spec.template.spec.containers.0.securityContext"]
-        assert security_context["runAsUser"] == 1000
         assert security_context["capabilities"]["drop"] == ["ALL"]
         assert security_context["readOnlyRootFilesystem"] is True
         assert security_context["runAsNonRoot"] is True
 
+    def test_add_security_context(self):
+        self.manifests = self.render_chart(
+            "logprep",
+            {
+                "containerSecurityContext": {"allowPriviledgeEscalation": "false"},
+                "podSecurityContext": {"supplementalGroups": [4000]},
+            },
+        )
+        assert self.deployment["spec.template.spec.securityContext"]
+        security_context = self.deployment["spec.template.spec.securityContext"]
+        assert security_context["supplementalGroups"] == [4000]
+        security_context = self.deployment["spec.template.spec.containers.0.securityContext"]
+        assert security_context["allowPriviledgeEscalation"] == "false"
+
     def test_resources(self):
         assert self.deployment["spec.template.spec.containers.0.resources"]
         resources = self.deployment["spec.template.spec.containers.0.resources"]