Merge pull request #211 from KoppulaRajender/5.3

5.3 | adding security context for kubeenforcer
aquasecurity · Mar 4, 2021 · e1da7fc · e1da7fc
2 parents 6e4087b + 256e6bb
commit e1da7fc
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/kube-enforcer/templates/kube-enforcer-deployment.yaml b/kube-enforcer/templates/kube-enforcer-deployment.yaml
@@ -13,9 +13,17 @@ spec:
       labels:
         app: {{ include "kube-enforcer.fullname" . }}
     spec:
+      {{- with .Values.securityContext }}
+      securityContext:
+{{ toYaml . | indent 8 }}
+      {{- end }}
       serviceAccountName: {{ .Values.serviceAccount.name }}
       containers:
         - name: kube-enforcer
+          {{- with .Values.container_securityContext }}
+          securityContext:
+{{ toYaml . | indent 12 }}
+          {{- end }}
           image: "{{ .Values.imageCredentials.repositoryUriPrefix }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: Always
           ports:

diff --git a/kube-enforcer/values.yaml b/kube-enforcer/values.yaml
@@ -30,7 +30,7 @@ logLevel:
 #enable to true if you want to use existing secret for the cluster
 existing_secret:
   enable: false
-  secretName:
+  secretName: ""
 
 certsSecret:
   name: aqua-kube-enforcer-certs
@@ -69,6 +69,12 @@ webhooks:
   mutatingWebhook:
     name: kube-enforcer-me-injection-hook-config
 
+securityContext:
+  runAsUser: 11431
+  runAsGroup: 11433
+  fsGroup: 11433
+container_securityContext: {}
+
 livenessProbe:
   tcpSocket:
     port: 8080