fix(app): allow to override securityContext

packages/kontinuous/tests/__snapshots__/app-simple-options.dev.yaml

@@ -700,6 +700,11 @@ spec:
       annotations:
         kontinuous/deployment: test-app-simple-options-feature-branch-1-ffac537e6cbb-ze31pkw6
     spec:
+      securityContext:
+        fsGroup: 26
+        runAsGroup: 26
+        runAsNonRoot: true
+        runAsUser: 26
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -722,6 +727,8 @@ spec:
             claimName: docs
       containers:
         - image: harbor.fabrique.social.gouv.fr/test-app-simple-options/app:sha-ffac537e6cbbf934b08745a378932722df287a53
+          securityContext:
+            allowPrivilegeEscalation: false
           name: app
           ports:
             - containerPort: 3000

packages/kontinuous/tests/__snapshots__/app-simple-options.prod.yaml

@@ -132,6 +132,11 @@ spec:
       annotations:
         kontinuous/deployment: test-app-simple-options-feature-branch-1-ffac537e6cbb-ze31pkw6
     spec:
+      securityContext:
+        fsGroup: 26
+        runAsGroup: 26
+        runAsNonRoot: true
+        runAsUser: 26
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -154,6 +159,8 @@ spec:
             claimName: docs
       containers:
         - image: harbor.fabrique.social.gouv.fr/test-app-simple-options/app:prod
+          securityContext:
+            allowPrivilegeEscalation: false
           name: app
           ports:
             - containerPort: 3000

packages/kontinuous/tests/samples/app-simple-options/values.yaml

@@ -13,3 +13,8 @@ app:
     requests:
       cpu: 1
       memory: 10Mi
+  securityContext:
+    fsGroup: 26
+    runAsGroup: 26
+    runAsNonRoot: true
+    runAsUser: 26

plugins/contrib/charts/app/kontinuous.values.schema.json

@@ -126,6 +126,10 @@
     "startupProbe": {
       "$ref": "https://raw.githubusercontent.com/ad-m/kubernetes-json-schema/master/master-standalone-strict/_definitions.json#/definitions/io.k8s.api.core.v1.Probe",
       "description": "StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes"
+    },
+    "securityContext": {
+      "$ref": "https://raw.githubusercontent.com/ad-m/kubernetes-json-schema/master/master-standalone-strict/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext",
+      "description": "Setup your securityContext to reduce security risks, see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"
     }
   }
 }

plugins/contrib/charts/app/templates/deployment.yaml

@@ -21,6 +21,10 @@ spec:
         application: {{ .Values.global.repositoryName }}
         namespace: {{ or .Values.namespace .Values.global.namespace }}
     spec:
+      {{- if .Values.securityContext }}
+      securityContext:
+        {{- tpl (.Values.securityContext | toYaml) . | nindent 8 }}
+      {{- end }}
       affinity:
         {{- include "contrib-helpers.anti-affinity" . | nindent 8}}
       initContainers:
@@ -42,6 +46,10 @@ spec:
           {{- else }}
           image: "{{ or .Values.registry .Values.global.registry }}{{ if (or .Values.imageProject .Values.global.imageProject) }}{{ (print "/" (or .Values.imageProject .Values.global.imageProject)) }}{{ end }}{{ if (or .Values.imageRepository .Values.global.imageRepository) }}{{ (print "/" (or .Values.imageRepository .Values.global.imageRepository)) }}{{ end }}{{ if .Values.imagePackage }}{{ (print "/" .Values.imagePackage) }}{{ end }}:{{ or .Values.imageTag .Values.global.imageTag }}"
           {{- end }}
+          {{- if .Values.securityContext }}
+          securityContext:
+            allowPrivilegeEscalation: false
+          {{- end }}
           {{- if .Values.entrypoint }}
           command:
             {{- tpl (.Values.entrypoint | toYaml) $ | nindent 12 }}

plugins/contrib/charts/app/values.yaml

@@ -12,7 +12,7 @@ ttl:
 rancherProjectId:
 isProd: false
 isPreProd: false
-replicas: 
+replicas:
 containerPort: 3000
 servicePort: 80
 env: []
@@ -22,14 +22,14 @@ probesPath: /index.html
 livenessProbe:
 readinessProbe:
 startupProbe:
-lifecycle: 
+lifecycle:
 resources:
   limits:
-    cpu: 
+    cpu:
     memory:
   requests:
-    cpu: 
-    memory: 
+    cpu:
+    memory:
 autoscale:
   enabled: false
   minReplicas: 2
@@ -52,8 +52,14 @@ ingress:
 entrypoint:
 args: []
 antiAffinity:
-  enabled: 
-onChangedPaths: 
-onChangedAnnotate: 
-onChangedNeeds: 
-strategyType: RollingUpdate
+  enabled:
+onChangedPaths:
+onChangedAnnotate:
+onChangedNeeds:
+strategyType: RollingUpdate
+# https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.17.2/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext
+securityContext:
+#   fsGroup: 26
+#   runAsGroup: 26
+#   runAsNonRoot: true
+#   runAsUser: 26