Ability to add Pod securityContext for controller-manager and dashboard

CHANGELOG.md

@@ -10,6 +10,7 @@ For more information and how-to, see [RFC: Keep A Changelog](https://github.com/
 
 ### Added
 
+- Add `controller.securityContext` and `dashboard.securityContext` to Helm chart [#3603](https://github.com/chaos-mesh/chaos-mesh/pull/3603)
 - Add `RemoteCluster` resource type [#3342](https://github.com/chaos-mesh/chaos-mesh/pull/3342)
 - Add `clusterregistry` package to help developers to develop multi-cluster reconciler [#3342](https://github.com/chaos-mesh/chaos-mesh/pull/3342)
 

helm/chaos-mesh/README.md

@@ -27,6 +27,7 @@ The following tables list the configurable parameters of the Chaos Mesh chart an
 | `images.registry` | The global container registry for the images, you could replace it with your self-hosted container registry. | `ghcr.io` |
 | `images.tag` | The global image tag (for example, semiVer with prefix v, or latest). | `latest` |
 | `imagePullSecrets` | Global Docker registry secret names as an array  | [] (does not add image pull secrets to deployed pods) |
+| `controllerManager.securityContext` | Pod securityContext if needed | `{}` |
 | `controllerManager.hostNetwork` | Running chaos-controller-manager on host network | `false` |
 | `controllerManager.allowHostNetworkTesting`   | Allow testing on `hostNetwork` pods | `false` |
 | `controllerManager.serviceAccount` | The serviceAccount for chaos-controller-manager | `chaos-controller-manager` |
@@ -74,6 +75,7 @@ The following tables list the configurable parameters of the Chaos Mesh chart an
 | `chaosDaemon.updateStrategy` | Specify DaemonSetUpdateStrategy for chaos-daemon | `{}` |
 | `dashboard.create` | Enable chaos-dashboard | `false` |
 | `dashboard.rootUrl` | Specify the base url for openid/oauth2 (like GCP Auth Integration) callback URL. | `http://localhost:2333` |
+| `dashboard.securityContext` | Pod securityContext if needed | `{}` |
 | `dashboard.hostNetwork` | Running chaos-dashboard on host network | `false` |
 | `dashboard.replicaCount` | Replicas of chaos-dashboard | `1` |
 | `dashboard.priorityClassName` | Custom priorityClassName for using pod priorities | `` |

helm/chaos-mesh/templates/chaos-dashboard-deployment.yaml

@@ -38,6 +38,8 @@ spec:
 {{ toYaml . | indent 8 }}
     {{- end }}
     spec:
+      securityContext:
+{{ toYaml .Values.dashboard.securityContext | indent 12 }}
       {{- if .Values.dashboard.hostNetwork }}
       hostNetwork: true
       {{- end }}

helm/chaos-mesh/templates/controller-manager-deployment.yaml

@@ -39,6 +39,8 @@ spec:
 {{ toYaml . | indent 8 }}
     {{- end }}
     spec:
+      securityContext:
+{{ toYaml .Values.controllerManager.securityContext | indent 12 }}
       {{- if .Values.controllerManager.hostNetwork }}
       hostNetwork: true
       {{- end }}

helm/chaos-mesh/values.yaml

@@ -56,6 +56,8 @@ imagePullSecrets: []
 # - name: secretName
 
 controllerManager:
+  # securityContext if needed
+  securityContext: {}
   # running chaos-controller-manager on host network
   hostNetwork: false
   # Allow testing on `hostNetwork` pods. This is Dangerous. Please run only as temporary solution.
@@ -232,6 +234,8 @@ dashboard:
   create: true
   # rootUrl specify the base url for openid/oauth2 (like GCP Auth Integration) callback URL.
   rootUrl: http://localhost:2333
+  # securityContext if needed
+  securityContext: {}
   # running chaos-dashboard on host network
   hostNetwork: false
   # replicas of chaos-dashboard

install.sh

@@ -1449,6 +1449,8 @@ spec:
         app.kubernetes.io/component: chaos-dashboard
       annotations:
     spec:
+      securityContext:
+            {}
       serviceAccountName: chaos-dashboard
       containers:
         - name: chaos-dashboard
@@ -1564,6 +1566,8 @@ spec:
       annotations:
         rollme: "install.sh"
     spec:
+      securityContext:
+            {}
       hostNetwork: ${host_network}
       serviceAccountName: chaos-controller-manager
       containers: