🔒 Add support for securityContext

Default to settings that satisfy the [restricted Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)
cert-manager · Dec 7, 2023 · c7b12d1 · c7b12d1
1 parent 5dd5ef8
commit c7b12d1
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/deploy/charts/google-cas-issuer/templates/deployment.yaml b/deploy/charts/google-cas-issuer/templates/deployment.yaml
@@ -50,6 +50,10 @@ spec:
         resources:
           {{- toYaml . | nindent 10 }}
         {{- end }}
+        {{- with .Values.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
 
       {{- with .Values.nodeSelector }}
       nodeSelector:
@@ -59,6 +63,10 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with .Values.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}

diff --git a/deploy/charts/google-cas-issuer/values.yaml b/deploy/charts/google-cas-issuer/values.yaml
@@ -83,6 +83,22 @@ affinity: {}
   #        values:
   #        - master
 
+# -- Pod Security Context
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+securityContext:
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+
+# -- Container Security Context to be set on the controller component container
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+
 # -- Kubernetes pod tolerations for google-cas-issuer
 tolerations: []
   # -- Allow scheduling of DaemonSet on all nodes