diff --git a/frontend/Chart.yaml b/frontend/Chart.yaml index e43e5b82..8cf71f15 100644 --- a/frontend/Chart.yaml +++ b/frontend/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: frontend -version: 1.15.0 +version: 1.16.0 dependencies: - name: mariadb version: 7.10.x diff --git a/frontend/templates/services-deployment.yaml b/frontend/templates/services-deployment.yaml index 78d09165..66e66c8a 100644 --- a/frontend/templates/services-deployment.yaml +++ b/frontend/templates/services-deployment.yaml @@ -29,13 +29,17 @@ spec: # We use a checksum to redeploy the pods when the configMap changes. configMap-checksum: {{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }} spec: + {{- if $service.podSecurityContext }} + securityContext: + {{- toYaml $service.podSecurityContext | nindent 8 }} + {{- end }} enableServiceLinks: false containers: - name: {{ $index }} image: {{ $service.image | quote }} - {{- if $service.securityContext }} + {{- if $service.containerSecurityContext }} securityContext: - {{- toYaml $service.securityContext | nindent 10 }} + {{- toYaml $service.containerSecurityContext | nindent 10 }} {{- end }} ports: - containerPort: {{ default $.Values.serviceDefaults.port $service.port }} diff --git a/frontend/values.schema.json b/frontend/values.schema.json index dbd7dc36..d9e2ffe4 100644 --- a/frontend/values.schema.json +++ b/frontend/values.schema.json @@ -321,7 +321,7 @@ "type": "object", "additionalProperties": { "type": "string" } }, - "securityContext": { + "containerSecurityContext": { "type": "object", "additionalProperties": false, "properties": { @@ -378,6 +378,64 @@ } } } + }, + "podSecurityContext": { + "type": "object", + "additionalProperties": true, + "properties": { + "allowPrivilegeEscalation": { "type": "boolean" }, + "readOnlyRootFilesystem": { "type": "boolean" }, + "runAsNonRoot": { "type": "boolean" }, + "runAsUser": { "type": "integer" }, + "runAsGroup": { "type": "integer" }, + "fsGroup": { "type": "integer" }, + "privileged": { "type": "boolean" }, + "procMount": { "type": "string" }, + "capabilities": { + "type": "object", + "additionalProperties": false, + "properties": { + "add": { + "type": "array", + "items": { "type": "string" } + }, + "drop": { + "type": "array", + "items": { "type": "string" } + } + } + }, + "seccompProfile": { + "type": "object", + "additionalProperties": false, + "properties": { + "type": { "type": "string" }, + "localhostProfile": { "type": "string" } + } + }, + "seLinuxOptions": { + "type": "object", + "additionalProperties": false, + "properties": { + "level": { "type": "string" }, + "role": { "type": "string" }, + "type": { "type": "string" }, + "user": { "type": "string" } + } + }, + "sysctls": { + "type": "array", + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "name": { "type": "string" }, + "value": { "type": "string" } + }, + "required": ["name", "value"] + } + } + } } } } diff --git a/frontend/values.yaml b/frontend/values.yaml index 270c510f..d8fabf76 100644 --- a/frontend/values.yaml +++ b/frontend/values.yaml @@ -228,8 +228,10 @@ services: {} # mounts: # - files # - # # Security context settings for this service - # securityContext: {} + # # Pod level security context settings for this service + # podSecurityContext: {} + # # Container level security context settings + # containerSecurityContext: {} # # Enable autoscaling using HorizontalPodAutoscaler # # see: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/