Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(helm): setting container securityContext, automountServiceAccountToken, serviceAccountName #4216

Merged
merged 3 commits into from
Jan 7, 2025
Merged

feat(helm): setting container securityContext, automountServiceAccountToken, serviceAccountName #4216

merged 3 commits into from
Jan 7, 2025

Conversation

lukashankeln
Copy link
Contributor

We are applying some strict rules to the pods that we deploy in our cluster.
For example we enforce setting pod.spec.containers.securityContext.capabilities.drop[0].all

Currently we are only able to set pod.spec.securityContext via the helm chart.

Furthermore we are restricting automountServiceAccountToken and do not allow the default serviceAccount to be used.

Adding:

  • pod.spec.initContainers.securityContext
    • check-db-migrator-run
    • checkDbIsReady
  • pod.spec.containers.securityContext
    • db-migrator-install/upgrade
    • hub
    • tracker
  • serviceAccountName
    • db-migrator-install/upgrade
    • tracker
  • automountServiceAccountToken
    • db-migrator-install/upgrade

automountServiceAccountToken & serviceAccountName are beeing set to their respective defaults to not introduce a breaking change

@lukashankeln lukashankeln marked this pull request as ready for review January 7, 2025 06:37
tegioz
tegioz requested changes Jan 7, 2025
View reviewed changes
Copy link
Collaborator

@tegioz tegioz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your PR @lukashankeln 🙂

charts/artifact-hub/templates/tracker_cronjob.yaml Show resolved Hide resolved
charts/artifact-hub/templates/tracker_cronjob.yaml Show resolved Hide resolved
charts/artifact-hub/values.yaml Show resolved Hide resolved
@tegioz
Copy link
Collaborator

tegioz commented Jan 7, 2025

@lukashankeln could you also rebase from master and bump the chart version to 1.21.0-2? (otherwise the chart linter will complain) Thanks!

@lukashankeln lukashankeln force-pushed the feat/helm-security-options branch from 5a45772 to fa18206 Compare January 7, 2025 16:14
@lukashankeln
Copy link
Contributor Author

Good catch thank you.

  • Added the missing default values
  • while at it adapted the scanner template to also be able to set these values
  • rebased to current master

@lukashankeln lukashankeln requested a review from tegioz January 7, 2025 16:15
tegioz
tegioz approved these changes Jan 7, 2025
View reviewed changes
Copy link
Collaborator

@tegioz tegioz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @lukashankeln 👍

@tegioz tegioz merged commit c034fa4 into artifacthub:master Jan 7, 2025
14 checks passed
@tegioz
Copy link
Collaborator

tegioz commented Jan 7, 2025

Can you take a look at this warning @lukashankeln? I missed it during the review 😅 Thanks!

@lukashankeln lukashankeln deleted the feat/helm-security-options branch January 7, 2025 17:35
@lukashankeln
Copy link
Contributor Author

Confused the two different spec sections....

#4221

Thank you @tegioz

@tegioz
Copy link
Collaborator

tegioz commented Jan 7, 2025

No problem, thanks for the quick fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tegioz tegioz tegioz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lukashankeln @tegioz