add ability to configure SecurityContext for web container #176
Conversation
While this provides a escape hatch for configuring stuff that the Concourse team doesn't want to support (such as a separate option for securityContext), it does open up the possiblity to terribly misconfigure your cluster. Signed-off-by: Bohan Chen <bochen@pivotal.io>
templates/web-deployment.yaml
Outdated
| @@ -51,6 +51,9 @@ spec: | |||
| initContainers: | |||
| {{- toYaml .Values.web.extraInitContainers | nindent 8 }} | |||
| {{- end }} | |||
| {{- if .Values.web.dangerousAdditionalPodSpecFields }} | |||
| {{- toYaml .Values.web.dangerousAdditionalPodSpecFields | nindent 6 }} | |||
There was a problem hiding this comment.
nindent 6
Wouldn't this mean it's going to live at the same level as spec on line 34?
I tried using the example listed in this way:
dangerousAdditionalPodSpecFields:
securityContext:
capabilities:
add:
- SYS_PTRACE
On a dry-run I get:
unknown field "capabilities" in io.k8s.api.core.v1.PodSecurityContext
Seems capabilities are meant to be set at the individual container level for a pod.
So I tried putting it inside the first container:
containers:
{{- if .Values.web.sidecarContainers }}
{{- toYaml .Values.web.sidecarContainers | nindent 8 }}
{{- end }}
- name: {{ template "concourse.web.fullname" . }}
{ { - if .Values.web.dangerousAdditionalPodSpecFields } }
{ { - toYaml .Values.web.dangerousAdditionalPodSpecFields | nindent 10 } }
{ { - end } }
But I end up with a parsing error:
Error: YAML parse error on concourse/templates/web-deployment.yaml: error converting YAML to JSON: yaml: line 29: could not find expected ':'
I'm using Helm3. Have you been able to successfully run the example?
There was a problem hiding this comment.
Wouldn't this mean it's going to live at the same level as spec on line 34?
Good point, I blindly assumed the pod level securityContext is the same as the container level one.
Originally this was meant as an escape hatch for all of the fancy things you can configure at the pod level that we don't expose in our chart. If it's going to be exposed at the container level and since we explicitly exposed almost all of the fields at that level, I'm going to rework this PR so that it just exposes the web.securityContext field instead.
Since securityContext is only set at the container level, and we pretty much explicitly configure most of the container level fields Signed-off-by: Bohan Chen <bochen@pivotal.io>
chenbh
changed the title
Applies only to the
webcontainer on theweb-deploymentpod, useful for stuff like attaching a live debugger to the process.