From f32ff40dabe6f837c3512a6e8f0cd38a6568d014 Mon Sep 17 00:00:00 2001
From: David Young <davidy@funkypenguin.co.nz>
Date: Wed, 21 Sep 2022 09:25:52 +1200
Subject: [PATCH] Add option to customize pod/containerSecurityContext

Signed-off-by: David Young <davidy@funkypenguin.co.nz>
---
 charts/k-rail/Chart.yaml                | 2 +-
 charts/k-rail/templates/deployment.yaml | 8 +++++++-
 charts/k-rail/values.yaml               | 7 +++++++
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/charts/k-rail/Chart.yaml b/charts/k-rail/Chart.yaml
index 61692f5..5900aaf 100644
--- a/charts/k-rail/Chart.yaml
+++ b/charts/k-rail/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 name: k-rail
 description: Kubernetes security tool for policy enforcement
 home: https://github.com/cruise-automation/k-rail
-version: v3.6.1
+version: v3.6.2
 maintainers:
   - name: cruise-automation
     url: https://cruise-automation.github.io/k-rail/
diff --git a/charts/k-rail/templates/deployment.yaml b/charts/k-rail/templates/deployment.yaml
index 55c2b57..912f7d2 100644
--- a/charts/k-rail/templates/deployment.yaml
+++ b/charts/k-rail/templates/deployment.yaml
@@ -83,6 +83,10 @@ spec:
         checksum/tls: {{ print $ca.Cert | sha256sum }}
     spec:
       serviceAccountName: k-rail
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: k-rail
           command: ["/k-rail", "-config=/config/config.yml", "-exemptions-path-glob=/exemptions/*.yml"]
@@ -100,8 +104,10 @@ spec:
             - name: exemptions
               mountPath: /exemptions
               readOnly: true
+        {{- with .Values.containerSecurityContext }}
           securityContext:
-            readOnlyRootFilesystem: true
+          {{- toYaml . | nindent 12 }}    
+        {{- end }}
           ports:
             - containerPort: 10250
             - containerPort: 8000
diff --git a/charts/k-rail/values.yaml b/charts/k-rail/values.yaml
index 30f6968..2fbaf6d 100644
--- a/charts/k-rail/values.yaml
+++ b/charts/k-rail/values.yaml
@@ -23,6 +23,13 @@ tolerations: []
 
 affinity: {}
 
+## securityContext to apply to the pod
+podSecurityContext: {}
+
+## securityContext to apply to the container
+containerSecurityContext:
+  readOnlyRootFilesystem: true
+
 # Set to the value (in seconds) which the mutatingwebhook should use for a timeout
 # for slower clusters (or larger workloads) this may need to be increased
 webhookTimeout: 1