make pod security contex configurable (#711)

* add podSecurityContext and containerSecurityContext
fkie-cad · Nov 22, 2024 · 4d80664 · 4d80664
1 parent 56cf412
commit 4d80664
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 13 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,7 @@
 * add new helper method `add_fields_to` to directly add multiple fields to one event
 * refactored some processors to make use of the new helper methods
 * add `pre-commit` hooks to the repository, install new dev dependency and run `pre-commit install` in the root dir
+* the default `securityContext`for the pod is now configurable
 
 ### Bugfix
 

diff --git a/charts/logprep/Chart.yaml b/charts/logprep/Chart.yaml
@@ -6,7 +6,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "14.0.0"
+version: "14.0.1"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/logprep/templates/deployment.yaml b/charts/logprep/templates/deployment.yaml
@@ -20,17 +20,18 @@ spec:
       annotations:
         {{ toYaml .Values.podAnnotations| nindent 8 }}
     spec:
-      securityContext:
-        fsGroup: {{ .Values.securityContext.runAsUser }}
-        runAsUser: {{ .Values.securityContext.runAsUser }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit  .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
       imagePullSecrets:
         {{- if .Values.secrets.imagePullSecret }}
         - name: {{ .Values.secrets.imagePullSecret.name }}
         {{- end }}
       containers:
         - name: logprep
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- if .Values.containerSecurityContext.enabled }}
+          securityContext: {{- omit  .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}

diff --git a/charts/logprep/values.yaml b/charts/logprep/values.yaml
@@ -18,14 +18,20 @@ resources:
     memory: "2Gi"
     cpu: "250m"
 
-# The default security context for the pod
-securityContext:
-  capabilities:
-    drop:
-      - ALL
-  runAsNonRoot: true
+# if enabled: the default security context for the pod
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
   runAsUser: 1000
+
+# if enabled: the default security context for the container 
+containerSecurityContext:
+  enabled: true
+  runAsNonRoot: true
   readOnlyRootFilesystem: true
+  capabilities:
+      drop:
+        - ALL
 
 # the image pull secret to use for the deployment
 # to mount extra secrets into the pod, use the extraVolumes and extraMounts fields

diff --git a/tests/unit/charts/test_deployment.py b/tests/unit/charts/test_deployment.py
@@ -80,11 +80,24 @@ def test_security_context(self):
         assert security_context["runAsUser"] == 1000
         assert security_context["fsGroup"] == 1000
         security_context = self.deployment["spec.template.spec.containers.0.securityContext"]
-        assert security_context["runAsUser"] == 1000
         assert security_context["capabilities"]["drop"] == ["ALL"]
         assert security_context["readOnlyRootFilesystem"] is True
         assert security_context["runAsNonRoot"] is True
 
+    def test_add_security_context(self):
+        self.manifests = self.render_chart(
+            "logprep",
+            {
+                "containerSecurityContext": {"allowPriviledgeEscalation": "false"},
+                "podSecurityContext": {"supplementalGroups": [4000]},
+            },
+        )
+        assert self.deployment["spec.template.spec.securityContext"]
+        security_context = self.deployment["spec.template.spec.securityContext"]
+        assert security_context["supplementalGroups"] == [4000]
+        security_context = self.deployment["spec.template.spec.containers.0.securityContext"]
+        assert security_context["allowPriviledgeEscalation"] == "false"
+
     def test_resources(self):
         assert self.deployment["spec.template.spec.containers.0.resources"]
         resources = self.deployment["spec.template.spec.containers.0.resources"]