Helm chart: container securityContext

Make the kubernetes securityContext configurable on the container level (in addition to the already configurable securityContext on the pod level). Fixes: vernemq#375
hsudbrock · Feb 21, 2024 · fb27023 · fb27023
1 parent e7db710
commit fb27023
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/helm/vernemq/templates/statefulset.yaml b/helm/vernemq/templates/statefulset.yaml
@@ -31,7 +31,7 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
       {{- if .Values.statefulset.podLabels }}
         {{ toYaml .Values.statefulset.podLabels | nindent 8 }}
-      {{- end }}        
+      {{- end }}
       {{- with .Values.statefulset.podAnnotations }}
       annotations:
         {{ toYaml . | nindent 8 }}
@@ -147,6 +147,10 @@ spec:
           lifecycle:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
     {{- with .Values.nodeSelector }}
       nodeSelector:
         {{ toYaml . | nindent 8 }}

diff --git a/helm/vernemq/values.yaml b/helm/vernemq/values.yaml
@@ -120,11 +120,17 @@ tolerations: []
 ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
 podAntiAffinity: soft
 
+# Security context (for the pods)
 securityContext:
   runAsUser: 10000
   runAsGroup: 10000
   fsGroup: 10000
 
+# Security context (for the containers, uncomment if needed; default is no specific container-level security context)
+# containerSecurityContext:
+  # privileged: ...
+  # ...
+
 ## If RBAC is enabled on the cluster,VerneMQ needs a service account
 ## with permissisions sufficient to list pods
 rbac: