chore: add service account creation as optional and allow podSecurity (…

…#4390) Co-authored-by: Yue Yang <g1enyy0ung@gmail.com> Co-authored-by: Abby Watterson <Abby.Watterson@fmr.com>
chaos-mesh · Jun 17, 2024 · aef9e82 · aef9e82
1 parent 700db92
commit aef9e82
Show file tree

Hide file tree

Showing 8 changed files with 23 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ For more information and how-to, see [RFC: Keep A Changelog](https://github.com/
 
 ### Added
 
+- Allow if condition for creating chaos-controller-manager ServiceAccount and allow setting securityContext for chaos-daemon pods [#4390](https://github.com/chaos-mesh/chaos-mesh/pull/4390)
 - Allow annotations on chaos-controller-manager and chaos-daemon ServiceAccount [#4106](https://github.com/chaos-mesh/chaos-mesh/pull/4106)
 - Support for deploying chaos-dashboard under the subpath [#4093](https://github.com/chaos-mesh/chaos-mesh/pull/4093)
 - Support more rate units for networkchaos [#4129](https://github.com/chaos-mesh/chaos-mesh/pull/4129)

diff --git a/helm/chaos-mesh/README.md b/helm/chaos-mesh/README.md
@@ -29,9 +29,10 @@ The following tables list the configurable parameters of the Chaos Mesh chart an
 | `imagePullSecrets` | Global Docker registry secret names as an array | [] (does not add image pull secrets to deployed pods) |
 | `controllerManager.securityContext` | Pod securityContext if needed | `{}` |
 | `controllerManager.hostNetwork` | Running chaos-controller-manager on host network | `false` |
-| `controllerManager.allowHostNetworkTesting` | Allow testing on `hostNetwork` pods | `false` |
+| `controllerManager.allowHostNetworkTesting`   | Allow testing on `hostNetwork` pods | `false` |
 | `controllerManager.serviceAccount` | The serviceAccount for chaos-controller-manager | `chaos-controller-manager` |
 | `controllerManager.serviceAccountAnnotations` | ServiceAccount annotations for chaos-controller-manager | `{}` |
+| `controllerManager.serviceAccountCreate` | Create the serviceAccount for chaos-controller-manager | `true` |
 | `controllerManager.priorityClassName` | Custom priorityClassName for using pod priorities | `` |
 | `controllerManager.replicaCount` | Replicas for chaos-controller-manager | `3` |
 | `controllerManager.image.registry` | Override global registry, empty value means using the global images.registry | `` |
@@ -60,14 +61,15 @@ The following tables list the configurable parameters of the Chaos Mesh chart an
 | `chaosDaemon.grpcPort` | The port which grpc server listens on | `31767` |
 | `chaosDaemon.httpPort` | The port which http server listens on | `31766` |
 | `chaosDaemon.env` | Extra chaosDaemon envs | `{}` |
+| `chaosDaemon.securityContext` | Pod securityContext if needed | `{}`|
 | `chaosDaemon.hostNetwork` | Running chaosDaemon on host network | `false` |
 | `chaosDaemon.mtls.enabled` | Enable mtls on the grpc connection between chaos-controller-manager and chaos-daemon | `true` |
 | `chaosDaemon.privileged` | Run chaos-daemon container in privileged mode. If it is set to false, chaos-daemon will be run in some specified capabilities. capabilities: SYS_PTRACE, NET_ADMIN, MKNOD, SYS_CHROOT, SYS_ADMIN, KILL, IPC_LOCK | `true` |
 | `chaosDaemon.priorityClassName` | Custom priorityClassName for using pod priorities | `` |
 | `chaosDaemon.podAnnotations` | Pod annotations of chaos-daemon | `{}` |
 | `chaosDaemon.serviceAccount` | ServiceAccount name for chaos-daemon | `chaos-daemon` |
 | `chaosDaemon.serviceAccountAnnotations` | ServiceAccount annotations for chaos-daemon | `{}` |
-| `chaosDaemon.podSecurityPolicy` | Specify PodSecurityPolicy(psp) on chaos-daemon pods | `false` |
+| `chaosDaemon.podSecurityPolicy` | Specify PodSecurityPolicy(psp) on chaos-daemon pods | `false`|
 | `chaosDaemon.runtime` | Runtime specifies which container runtime to use. Currently we only supports docker, containerd and CRI-O. | `docker` |
 | `chaosDaemon.socketPath` | Specifiesthe path of container runtime socket on the host. | `/var/run/docker.sock` |
 | `chaosDaemon.resources` | CPU/Memory resource requests/limits for chaosDaemon container | `{}` |

diff --git a/helm/chaos-mesh/templates/chaos-daemon-daemonset.yaml b/helm/chaos-mesh/templates/chaos-daemon-daemonset.yaml
@@ -57,6 +57,9 @@ spec:
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
       {{- end }}
+      {{- if .Values.chaosDaemon.securityContext }}
+      securityContext: {{ toYaml .Values.chaosDaemon.securityContext | nindent 8 }}
+      {{- end }}
       containers:
         - name: chaos-daemon
           image: {{template "chaos-daemon.image" . }}
@@ -176,7 +179,7 @@ spec:
         {{- end }}
       volumes:
         - name: socket-path
-          hostPath: 
+          hostPath:
             path: {{template "chaos-daemon.socket-path" . }}
         - name: sys-path
           hostPath:

diff --git a/helm/chaos-mesh/templates/controller-manager-deployment.yaml b/helm/chaos-mesh/templates/controller-manager-deployment.yaml
@@ -48,7 +48,7 @@ spec:
       {{- if .Values.controllerManager.hostNetwork }}
       hostNetwork: true
       {{- end }}
-      {{- if .Values.controllerManager.serviceAccount }}
+      {{- if .Values.controllerManager.serviceAccountCreate }}
       serviceAccountName: {{ .Values.controllerManager.serviceAccount }}
       {{- end }}
       {{- if  .Values.controllerManager.priorityClassName }}

diff --git a/helm/chaos-mesh/templates/controller-manager-rbac.yaml b/helm/chaos-mesh/templates/controller-manager-rbac.yaml
@@ -13,6 +13,7 @@
 # limitations under the License.
 #
 {{- if .Values.rbac.create }}
+{{- if .Values.controllerManager.serviceAccountCreate }}
 kind: ServiceAccount
 apiVersion: v1
 metadata:
@@ -25,7 +26,7 @@ metadata:
   labels:
     {{- include "chaos-mesh.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller-manager
-
+{{- end }}
 ---
 # roles
 kind: ClusterRole

diff --git a/helm/chaos-mesh/values.schema.json b/helm/chaos-mesh/values.schema.json
@@ -56,6 +56,9 @@
                 "grpcPort": {
                     "type": "integer"
                 },
+                "securityContext": {
+                    "type": "object"
+                },
                 "hostNetwork": {
                     "type": "boolean"
                 },
@@ -314,6 +317,9 @@
                 "serviceAccountAnnotations": {
                     "type": "object"
                 },
+                "serviceAccountCreate": {
+                    "type": "boolean"
+                },
                 "targetNamespace": {
                     "type": "string"
                 },

diff --git a/helm/chaos-mesh/values.yaml b/helm/chaos-mesh/values.yaml
@@ -66,6 +66,8 @@ controllerManager:
   serviceAccount: chaos-controller-manager
   # ServiceAccount annotations for chaos-controller-manager
   serviceAccountAnnotations: {}
+  # Create the serviceAccount for chaos-controller-manager
+  serviceAccountCreate: true
   # Custom priorityClassName for using pod priorities
   priorityClassName: ""
   # Replicas for chaos-controller-manager
@@ -166,6 +168,8 @@ chaosDaemon:
   httpPort: 31766
   # extra chaosDaemon envs
   env: {}
+  # securityContext if needed
+  securityContext: {}
   # running chaosDaemon on host network
   hostNetwork: false
   # configurations about mtls.

diff --git a/install.sh b/install.sh
@@ -1650,7 +1650,7 @@ spec:
               containerPort: 31766
       volumes:
         - name: socket-path
-          hostPath: 
+          hostPath:
             path: ${socketDir}
         - name: sys-path
           hostPath: