diff --git a/helm/flowforge/README.md b/helm/flowforge/README.md index 95340be9..701b619b 100644 --- a/helm/flowforge/README.md +++ b/helm/flowforge/README.md @@ -43,6 +43,7 @@ If using an external PostgreSQL Database you will need to create the database an - `forge.branding` Object holding branding inserts (default not set) - `forge.projectDeploymentTolerations` tolerations settings for Project instances. Default is `[]`. - `forge.clusterRole.name` custom name for the ClusterRole (default `create-pod`) + - `forge.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the core application pod note: `forge.projectSelector` and `forge.managementSelector` defaults mean that you must have at least 2 nodes in your cluster and they need to be labeled before installing. @@ -75,6 +76,7 @@ To use STMP to send email - `forge.broker.url` URL to access the broker from inside the cluster (default `mqtt://flowforge-broker.[namespace]:1883`) - `forge.broker.public_url` URL to access the broker from outside the cluster (default `ws://mqtt.[forge.domain]`, uses `wss://` if `forge.https` is `true`) - `forge.broker.affinity` allows to configure [affinity or anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) for the broker pod + - `forge.broker.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the broker pod ### Telemetry @@ -122,6 +124,7 @@ Enables FlowForge Telemetry - `forge.fileStore.context.type` Choice of backends for Persistent Context `sequelize` - `forge.fileStore.context.options` Options to pass to Persistent Context Driver (See [file-server](https://github.com/flowforge/flowforge-file-server) for details) - `forge.fileStore.context.quota` Sets the maximum number of bytes that a project can store in Persistent Context (default `1048576`) +- `forge.fileStore.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the flowforge-file pod ### Private Certificate Authority diff --git a/helm/flowforge/templates/broker.yaml b/helm/flowforge/templates/broker.yaml index 349889aa..998c1835 100644 --- a/helm/flowforge/templates/broker.yaml +++ b/helm/flowforge/templates/broker.yaml @@ -60,9 +60,7 @@ spec: app: flowforge-broker spec: securityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 + {{- toYaml .Values.forge.broker.podSecurityContext | nindent 8 }} containers: - name: broker image: iegomez/mosquitto-go-auth diff --git a/helm/flowforge/templates/deployment.yaml b/helm/flowforge/templates/deployment.yaml index 6da28bd3..59b55f86 100644 --- a/helm/flowforge/templates/deployment.yaml +++ b/helm/flowforge/templates/deployment.yaml @@ -22,9 +22,7 @@ spec: spec: serviceAccountName: flowforge securityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 + {{- toYaml .Values.forge.podSecurityContext | nindent 8 }} containers: - name: forge {{- if .Values.forge.image }} diff --git a/helm/flowforge/templates/file-storage.yml b/helm/flowforge/templates/file-storage.yml index da233a7a..760e3535 100644 --- a/helm/flowforge/templates/file-storage.yml +++ b/helm/flowforge/templates/file-storage.yml @@ -61,9 +61,7 @@ spec: app: flowforge-file spec: securityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 + {{- toYaml .Values.forge.fileStore.podSecurityContext | nindent 8 }} containers: - name: file-storage image: {{ .Values.forge.registry }}{{- if .Values.forge.registry -}}/{{- end -}}flowforge/file-server:{{ .Chart.AppVersion }} diff --git a/helm/flowforge/values.schema.json b/helm/flowforge/values.schema.json index acf57f19..0c361930 100644 --- a/helm/flowforge/values.schema.json +++ b/helm/flowforge/values.schema.json @@ -218,6 +218,31 @@ }, "affinity": { "type": "object" + }, + "podSecurityContext": { + "type": "object", + "properties": { + "runAsUser": { + "type": "integer" + }, + "runAsGroup": { + "type": "integer" + }, + "fsGroup": { + "type": "integer" + }, + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + }, + "localhostProfile": { + "type": "string" + } + } + } + } } }, "required": [ @@ -293,6 +318,31 @@ }, "options": { "type": "object" + }, + "podSecurityContext": { + "type": "object", + "properties": { + "runAsUser": { + "type": "integer" + }, + "runAsGroup": { + "type": "integer" + }, + "fsGroup": { + "type": "integer" + }, + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + }, + "localhostProfile": { + "type": "string" + } + } + } + } } }, "required": [ @@ -383,6 +433,31 @@ "description": "Name of cluster role" } } + }, + "podSecurityContext": { + "type": "object", + "properties": { + "runAsUser": { + "type": "integer" + }, + "runAsGroup": { + "type": "integer" + }, + "fsGroup": { + "type": "integer" + }, + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + }, + "localhostProfile": { + "type": "string" + } + } + } + } } }, "required": [ diff --git a/helm/flowforge/values.yaml b/helm/flowforge/values.yaml index 757d30f7..92551380 100644 --- a/helm/flowforge/values.yaml +++ b/helm/flowforge/values.yaml @@ -21,6 +21,12 @@ forge: enabled: false broker: enabled: false + podSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault fileStore: enabled: false type: localfs @@ -36,6 +42,12 @@ forge: username: forge password: Zai1Wied database: ff-context + podSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault support: enabled: false @@ -55,6 +67,13 @@ forge: enabled: false reportOnly: false + podSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault + postgresql: auth: postgresPassword: Moomiet0