feat: make privilege levels selectable in values file

chart/templates/_helpers.tpl

@@ -57,3 +57,21 @@ Image Name
 {{- define "canary-checker.imageString" -}}
 {{ .Values.image.repository }}{{- if eq (lower .Values.image.type) "full" }}-full{{- end }}:{{ .Values.image.tag }} 
 {{- end }}
+
+{{/*
+Container Security Context
+*/}}
+{{- define "canary-checker.containerSecurityContext" -}}
+allowPrivilegeEscalation: {{- if eq ( lower .Values.privilegeMode ) "privileged" }}true{{- else }}false{{- end }}
+{{- if has ( lower .Values.privilegeMode) ( list "privileged" "root" ) }}
+runAsUser: 0
+runAsGroup: 0
+fsGroup: 0
+{{- if eq ( lower .Values.privilegeMode ) "privileged" }}
+capabilities:
+  add:
+    - CAP_NET_RAW
+{{- end }}
+{{- end }}
+{{- end }}
+

chart/templates/deployment.yaml

@@ -6,21 +6,18 @@ kind: Deployment
 {{- end }}
 metadata:
   name: {{ include "canary-checker.name" . }}
-  labels:
-    {{- include "canary-checker.labels" . | nindent 4 }}
+  labels: {{- include "canary-checker.labels" . | nindent 4 }}
 spec:
   replicas: {{ .Values.replicas }}
   selector:
-    matchLabels:
-      {{- include "canary-checker.selectorLabels" . | nindent 6 }}
+    matchLabels: {{- include "canary-checker.selectorLabels" . | nindent 6 }}
   {{- if eq .Values.db.external.enabled false }}
   {{- if eq .Values.db.embedded.persist true }}
   serviceName: {{ include "canary-checker.fullname" . }}
   volumeClaimTemplates:
     - metadata:
         name: canarychecker-database
-        labels:
-          {{- include "canary-checker.labels" . | nindent 10 }}
+        labels: {{- include "canary-checker.labels" . | nindent 10 }}
       spec:
         storageClassName: {{ .Values.db.embedded.storageClass }}
         accessModes: ["ReadWriteOnce"]
@@ -31,8 +28,7 @@ spec:
   {{- end }}
   template:
     metadata:
-      labels:
-        {{- include "canary-checker.selectorLabels" . | nindent 8 }}
+      labels: {{- include "canary-checker.selectorLabels" . | nindent 8 }}
     spec:
       serviceAccountName: {{ include "canary-checker.fullname" . }}-sa
       volumes:
@@ -58,15 +54,9 @@ spec:
               - path: "labels"
                 fieldRef:
                   fieldPath: metadata.labels
-      securityContext:
-        fsGroup: 1000
       containers:
         - name: {{ include "canary-checker.name" . }}
-          securityContext:
-            allowPrivilegeEscalation: {{.Values.allowPrivilegeEscalation}}
-            capabilities:
-              add:
-                - CAP_NET_RAW
+          securityContext: {{- include "canary-checker.containerSecurityContext" . | nindent 12 }}
           image: {{ include "canary-checker.imageString" . }}
           imagePullPolicy: "{{ .Values.image.pullPolicy }}"
           env:
@@ -109,8 +99,7 @@ spec:
             - "8080"
             - --disable-postgrest={{ .Values.disablePostgrest }}
             - --db-migrations={{ .Values.db.runMigrations }}
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+          resources: {{- toYaml .Values.resources | nindent 12 }}
           livenessProbe:
             httpGet:
               path: /health
@@ -120,5 +109,5 @@ spec:
               path: /health
               port: 8080
       {{- with .Values.extra }}
-      {{- toYaml . | nindent 6 }}
+      {{- toYaml . | indent 6 }}
       {{- end }}

chart/values.yaml

@@ -23,6 +23,12 @@ disablePostgrest: false
 debug: false
 logLevel: "-v"
 
+## Options: unprivileged | root | privileged
+## unprivileged: runs as noot root user, cannot escalate permissions
+## root: runs as root user, cannot escalate permissions.  Required to run ping checks
+## privileged: runs as root user, may escalate CAP_NET_RAW.  Required to run docker and container checks
+privilegeMode: unprivileged
+
 db:
   runMigrations: false
   embedded: