fixed based on cr

Author: yairsappir

wiz-outpost-lite/templates/_helpers.tpl

@@ -66,11 +66,23 @@ wiz.io/runner: {{ .runner | quote }}
 {{- $runner = $runner | kebabcase }}
 {{- $runnerID := get $values "runnerID" | default $runner }}
 
+{{/* Get module type based on runner name - using a variable since we can't define a template inside another template */}}
+{{- $moduleType := "" }}
+{{- if hasPrefix "remediation-" $runner -}}
+  {{- $moduleType = "remediation" }}
+{{- else if eq $runner "container-registry" -}}
+  {{- $moduleType = "container-registry" }}
+{{- else if hasPrefix "vcs-" $runner -}}
+  {{- $moduleType = "vcs" }}
+{{- else -}}
+  {{- fail (printf "Invalid runner name: %s. Runner name must start with 'remediation-', 'vcs-', or be 'container-registry'" $runner) -}}
+{{- end }}
+
 {{/* e.g. remediation-aws-rds-003 -> outpost-lite-runner-remediation
 container-registry -> outpost-lite-runner-container-registry
 */}}
 {{- $imageName := "" }}
-{{- if hasPrefix "remediation" $runner }}
+{{- if eq $moduleType "remediation" }}
   {{- $imageName = "outpost-lite-runner-remediation" }}
 {{- else }}
   {{- $imageName = dig "image" "name" (printf "outpost-lite-runner-%s" $runner) $values }}
@@ -79,6 +91,9 @@ container-registry -> outpost-lite-runner-container-registry
 {{- $values = deepCopy $values }}
 {{- $values = merge $values (dict "image" (dict "name" $imageName)) }}
 
+{{/* Unify with module specific values */}}
+{{- $values = merge $values (index $.Values.modules $moduleType) }}
+
 {{/* Unify with global .Values to be used inside a "with" statement */}}
 {{- $values = dict "runner" $runner "runnerID" $runnerID "Values" (merge $values (omit $.Values "runners")) -}}
 {{- $runnerValues = set $runnerValues $runner $values }}

wiz-outpost-lite/templates/deployment.yaml

@@ -28,6 +28,14 @@ spec:
       {{- if .Values.serviceAccount.create }}
       serviceAccountName: sa-{{ .runner }}
       {{- end }}
+      {{- if or (hasKey .Values "podSecurityContext") (hasKey .Values "podSecurityContextOverride") }}
+      securityContext:
+        {{- if hasKey .Values "podSecurityContextOverride"}}
+        {{- toYaml .Values.podSecurityContextOverride | nindent 8 }}
+        {{- else }}
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- end }}
+      {{- end }}
       restartPolicy: Always
       {{- if .Values.affinity }}
       affinity:
@@ -142,12 +150,14 @@ spec:
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          {{- if or (hasKey .Values "containerSecurityContext") (hasKey .Values "containerSecurityContextOverride") }}
           securityContext:
-            capabilities:
-              add:
-              - SYS_ADMIN
-            seLinuxOptions:
-              type: spc_t
+            {{- if hasKey .Values "containerSecurityContextOverride"}}
+            {{- toYaml .Values.containerSecurityContextOverride | nindent 12 }}
+            {{- else }}
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+            {{- end }}
+          {{- end}}
           volumeMounts:
             - mountPath: /var/wiz
               name: working-dir

wiz-outpost-lite/values.yaml

@@ -72,7 +72,41 @@ httpProxyConfiguration:
 terminationGracePeriodSeconds: 30
 
 serviceAccount:
-    create: false
+  create: false
+
+modules:
+  vcs:
+    containerSecurityContext:
+      capabilities:
+        add:
+        - SYS_ADMIN
+      seLinuxOptions:
+        type: spc_t
+  container-registry:
+    containerSecurityContext:
+      capabilities:
+        add:
+        - SYS_ADMIN
+      seLinuxOptions:
+        type: spc_t
+  remediation:
+    podSecurityContext:
+      runAsNonRoot: true
+      runAsUser: 1000
+      runAsGroup: 1000
+      fsGroup: 1000
+    containerSecurityContext:
+      capabilities:
+        drop:
+        - ALL
+      runAsNonRoot: true
+      runAsUser: 1000
+      runAsGroup: 1000
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      seLinuxOptions:
+        type: container_t
 
 runners:
   container-registry: