Make SecurityContext configurable for webhook jobs

[chrislusf]

Summary

Fixes #165

Add configurable podSecurityContext and securityContext for webhook certificate jobs to support clusters with restrictive PodSecurity policies.

Changes

• Add webhook.podSecurityContext and webhook.securityContext to values.yaml
• Update job template to use configurable security contexts for all three webhook jobs
• Update webhookWaitInitContainer helper to include security context for init containers

Default Values

Default values are compliant with PodSecurity restricted profile:

webhook:
  podSecurityContext:
    runAsNonRoot: true
    runAsUser: 65532
    fsGroup: 65532
    seccompProfile:
      type: RuntimeDefault
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - ALL
    readOnlyRootFilesystem: true
    runAsNonRoot: true

Testing

Verified templates render correctly with helm template command.

Summary by CodeRabbit

• New Features
  • Added optional security context configuration for webhook components in Helm deployments
  • Webhook init container now supports pod security context settings including user privileges, filesystem groups, and seccomp profiles
  • Container-level security settings now configurable with privilege escalation controls, capability restrictions, read-only filesystem options, and runtime user configuration

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@chrislusf has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 8 minutes and 36 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 8eee545 and 76fe3ce.

📒 Files selected for processing (4)

• .github/workflows/helm_chart_release.yml (2 hunks)
• deploy/helm/templates/_helpers.tpl (1 hunks)
• deploy/helm/templates/webhook/job-update-webhook-certificates.yaml (3 hunks)
• deploy/helm/values.yaml (1 hunks)

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

These changes add optional security context configuration to Helm templates for the webhook component. Security context blocks are conditionally rendered at pod and container levels in the webhook job template, with corresponding default values introduced in the Helm values file for init container and job container configurations.

Changes

Cohort / File(s)	Summary
Webhook job security context support deploy/helm/templates/webhook/job-update-webhook-certificates.yaml	Added conditional rendering blocks to apply podSecurityContext at the job level and securityContext for the certgen container, driven by .Values.webhook.podSecurityContext and .Values.webhook.securityContext
Init container security context support deploy/helm/templates/_helpers.tpl	Added optional securityContext rendering for the webhook init container, conditionally applying values from webhook.securityContext when provided
Security context configuration values deploy/helm/values.yaml	Introduced webhook.initContainer.podSecurityContext (with runAsNonRoot, runAsUser, fsGroup, seccompProfile.type) and webhook.initContainer.securityContext (with allowPrivilegeEscalation, capabilities.drop, readOnlyRootFilesystem, runAsNonRoot)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify YAML indentation and syntax consistency across template files
• Confirm security context values comply with Kubernetes restricted pod security policy requirements (as noted in the linked issue)
• Ensure the conditional rendering logic (toYaml and if statements) properly handles cases when values are absent

Possibly related PRs

• Replaced the webhook readiness init container logic to use curl #160: Modifies the Helm webhook init-container template and values configuration for webhook runtime behavior
• Conditionally create webhook-related resources #158: Updates the webhook job template with conditional resource wrapping based on .Values.webhook.enabled

Poem

🐰 A rabbit hops through YAML fields so bright,
Adding security contexts left and right,
With podSecurityContext in place,
The webhooks run at a safer pace! 🔒

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Make SecurityContext configurable for webhook jobs' clearly and specifically describes the main change: adding configurable security context settings to webhook jobs.
Linked Issues check	✅ Passed	The PR fully implements the requirements from issue #165: adds configurable webhook.podSecurityContext and webhook.securityContext fields to values.yaml, updates webhook job templates to apply these contexts, and includes PodSecurity restricted-compliant defaults.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to making webhook job security contexts configurable; no unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @chrislusf, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the Helm chart for the webhook component by making its podSecurityContext and securityContext configurable. This addresses the need for the operator to function correctly in Kubernetes environments that enforce strict PodSecurity policies, ensuring that the webhook certificate jobs adhere to security best practices and cluster requirements.

Highlights

• Configurable Security Contexts: Introduced configurable podSecurityContext and securityContext for webhook certificate jobs.
• PodSecurity Policy Compliance: The changes enable support for Kubernetes clusters with restrictive PodSecurity policies by allowing customization of security settings.
• Default Security Settings: Added default podSecurityContext and securityContext values to values.yaml that are compliant with the restricted PodSecurity profile.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[chrislusf]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces configurable security contexts for the webhook jobs, which is an excellent enhancement for clusters with restrictive Pod Security Policies. The implementation is clean, using Helm helpers to avoid code duplication in the job templates. The default values provided are sensible and align with the restricted Pod Security Standard, improving the security posture of the chart out of the box. The changes are applied consistently to all three webhook jobs, including the init containers. Overall, this is a well-executed and valuable contribution.