Pod security standards restricted defaults (#9490)

* first round helm changes * gateway test secure helm * updates * Adding changelog file to new location * Deleting changelog file from old location * Update helm.yaml * update names * Update helm.yaml * Update helm.yaml * Update helm_test.go * refactor GetStructuredDeployment * Revert "refactor GetStructuredDeployment" This reverts commit c7325a8. * All the containers * generated * generate and k8s-utils * Update pod-security-standards.yaml * Update 7-gateway-proxy-deployment.yaml * Start of pod security defaults * Update pod-security-standards.yaml * updates * More container updates * steps - can;t apply defaults * Helm fixes and add to kube2e helm * whitespace cleanup * Update helm-override.yaml * tests * add seccompTypeValue * Update helm_test.go * Update pod-security-standards.yaml * Update pod-security-standards.yaml * Update pod-security-standards.yaml * Update _helpers.tpl * Update values.go * Adding changelog file to new location * Deleting changelog file from old location * Update _helpers.tpl * update template to take ".indent" argument * Update _helpers.tpl * generate * Update _helpers.tpl * Update _helpers.tpl * Update changelog/v1.17.0-beta29/pod-security-standards.yaml Co-authored-by: Bernie Birnbaum <bewebi@earthlink.net> * indenting includes * PR feedback * Update install/test/helm_test.go Co-authored-by: Bernie Birnbaum <bewebi@earthlink.net> --------- Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com> Co-authored-by: changelog-bot <changelog-bot> Co-authored-by: Bernie Birnbaum <bewebi@earthlink.net>
solo-io · May 20, 2024 · d976f62 · d976f62
1 parent d4724c0
commit d976f62
Show file tree

Hide file tree

Showing 32 changed files with 627 additions and 200 deletions.
diff --git a/changelog/v1.17.0-beta29/pod-security-standards.yaml b/changelog/v1.17.0-beta29/pod-security-standards.yaml
@@ -0,0 +1,20 @@
+changelog:
+  - type: NEW_FEATURE
+    issueLink: https://github.com/solo-io/gloo/issues/8864
+    resolvesIssue: false
+    description: >-
+      Add helm values for all containers to allow for conforming to [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/)
+  - type: HELM
+    description: >-
+      * Add helm values for all containers to allow defining containers' securityContexts
+      * Add global.podSecurityStandards.enableRestrictedContainerDefaults to default to using a restricted set of container defaults
+      * Add new helper template to render the container securityContexts and apply the defaults if neccessary
+    issueLink: https://github.com/solo-io/gloo/issues/8864
+    resolvesIssue: false
+  - type: DEPENDENCY_BUMP
+    resolvesIssue: false
+    dependencyOwner: solo-io
+    dependencyRepo: k8s-utils
+    dependencyTag: v0.6.3
+    description: >-
+      Pull in support for converting unstructured k8s CronJobs into k8s resources.
diff --git a/docs/content/reference/values.txt b/docs/content/reference/values.txt
diff --git a/go.mod b/go.mod
@@ -50,7 +50,7 @@ require (
 	github.com/sergi/go-diff v1.1.0
 	github.com/solo-io/go-list-licenses v0.1.4
 	github.com/solo-io/go-utils v0.24.8
-	github.com/solo-io/k8s-utils v0.6.0
+	github.com/solo-io/k8s-utils v0.6.3
 	github.com/solo-io/protoc-gen-ext v0.0.18
 	github.com/solo-io/protoc-gen-openapi v0.1.1
 	github.com/solo-io/skv2 v0.36.0

diff --git a/go.sum b/go.sum
@@ -1809,8 +1809,8 @@ github.com/solo-io/go-list-licenses v0.1.4/go.mod h1:x6LSp/NrYgVXwNum7ZOiaAYTpg6
 github.com/solo-io/go-utils v0.20.2/go.mod h1:6e8K1spnMWwlnJRSNp/J84GEyJbrcK4Gm7i+ehzCi8c=
 github.com/solo-io/go-utils v0.24.8 h1:gukFEvQ0SSRzIwysulI6w0c/dG08TCohO9QxwCqW6Lg=
 github.com/solo-io/go-utils v0.24.8/go.mod h1:bFFKO4Ih+sPViwNdVxv3z5dRrzMcJjNMHlx4zA8vxSg=
-github.com/solo-io/k8s-utils v0.6.0 h1:VF/EiQ0I2/EEqxitNvnQY9BWktYQf0oD0F4GQhGA1Gc=
-github.com/solo-io/k8s-utils v0.6.0/go.mod h1:cHiBkBOueJfqBRTxN7FA1xsX8s8XpIkVMXBsTXXZcVA=
+github.com/solo-io/k8s-utils v0.6.3 h1:6o5+QdkyW5WNHIl0pNjV+ZdXzW3VmcqtFimWXbOZkvY=
+github.com/solo-io/k8s-utils v0.6.3/go.mod h1:cHiBkBOueJfqBRTxN7FA1xsX8s8XpIkVMXBsTXXZcVA=
 github.com/solo-io/protoc-gen-ext v0.0.18 h1:zSAL8NzWpJUGYoA5IyjHiKASNyHjR0uxBQ7eQS94i3A=
 github.com/solo-io/protoc-gen-ext v0.0.18/go.mod h1:iGyCvmKmhJNXs5MgBcYFBF0om7LDnCVD2WwhOZGnqeA=
 github.com/solo-io/protoc-gen-openapi v0.1.1 h1:40gsfvDvz+Sd6HFXBzdkeE5QEuAdZnoy55J5QFzMzl4=

diff --git a/install/helm/gloo/generate/values.go b/install/helm/gloo/generate/values.go
diff --git a/install/helm/gloo/templates/1-gloo-deployment.yaml b/install/helm/gloo/templates/1-gloo-deployment.yaml
@@ -84,7 +84,7 @@ spec:
         {{- if not .Values.gloo.deployment.floatingUserId }}
           {{- $_ := set $securityDefaults "runAsUser" .Values.gloo.deployment.runAsUser }}
         {{- end }}
-{{ include "gloo.securityContext" (dict "values" .Values.global.glooMtls.envoy.securityContext "defaults" $securityDefaults) | indent 8 }}
+        {{- include "gloo.containerSecurityContext" (dict "values" .Values.global.glooMtls.envoy.securityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 8) }}
         ports:
         - containerPort: {{ .Values.gloo.deployment.xdsPort }}
           name: grpc-xds
@@ -127,7 +127,7 @@ spec:
         {{- if not .Values.gloo.deployment.floatingUserId -}}
           {{- $_ := set $securityDefaults "runAsUser" .Values.gloo.deployment.runAsUser}}
         {{- end -}}
-{{ include "gloo.securityContext" (dict "values" .Values.global.glooMtls.sds.securityContext "defaults" $securityDefaults) | nindent 8 }}
+        {{- include "gloo.containerSecurityContext" (dict "values" .Values.global.glooMtls.sds.securityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 8) }}
         ports:
         - containerPort: {{ .Values.gloo.deployment.validationPort }}
           name: validation
@@ -158,17 +158,17 @@ spec:
           requests:
             cpu: 500m
             memory: 256Mi
-{{- end}}
+{{- end -}}
         {{- $capabilities := dict "drop" (list "ALL") -}}
-        {{- $securityDefaults := dict "runAsNonRoot" true "capabilities" $capabilities "readOnlyRootFilesystem" true "allowPrivilegeEscalation" false }}
+        {{- $securityDefaults := dict "runAsNonRoot" true "capabilities" $capabilities "readOnlyRootFilesystem" true "allowPrivilegeEscalation" false -}}
         {{- /* set floatingUserId to true in the helm install to let the pod be assigned a dynamic user ID */ -}}
         {{- /* see https://github.com/helm/helm/issues/1707#issuecomment-520357573 */ -}}
-        {{- /* the user id may be set quite high -- openshift wants userids that may get printed as scientific notation */}}
-        {{- /* If you specify your own securityContext, floatingUserId will have no effect  */}}
+        {{- /* the user id may be set quite high -- openshift wants userids that may get printed as scientific notation */ -}}
+        {{- /* If you specify your own securityContext, floatingUserId will have no effect  */ -}}
         {{- if not .Values.gloo.deployment.floatingUserId -}}
           {{- $_ := set $securityDefaults "runAsUser" .Values.gloo.deployment.runAsUser }}
         {{- end -}}
-        {{- include "gloo.securityContext" (dict "values" .Values.gloo.deployment.glooContainerSecurityContext "defaults" $securityDefaults) | nindent 8 }}
+        {{- include "gloo.containerSecurityContext" (dict "values" .Values.gloo.deployment.glooContainerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 8) }}
         ports:
 {{- if not .Values.global.glooMtls.enabled }}
         - containerPort: {{ .Values.gloo.deployment.xdsPort }}

diff --git a/install/helm/gloo/templates/10-ingress-deployment.yaml b/install/helm/gloo/templates/10-ingress-deployment.yaml
@@ -47,6 +47,7 @@ spec:
       - image: {{template "gloo.image" $image}}
         imagePullPolicy: {{ $image.pullPolicy }}
         name: ingress
+        {{- include "gloo.containerSecurityContext" (dict "values" .Values.ingress.deployment.ingressContainerSecurityContext "defaults" (dict) "podSecurityStandards" .Values.global.podSecurityStandards "indent" 8) }}
 {{- if .Values.ingress.deployment.resources }}
         resources:
 {{ toYaml .Values.ingress.deployment.resources | indent 10}}

diff --git a/install/helm/gloo/templates/11-ingress-proxy-deployment.yaml b/install/helm/gloo/templates/11-ingress-proxy-deployment.yaml
@@ -61,14 +61,16 @@ spec:
         resources:
 {{ toYaml .Values.ingressProxy.deployment.resources | indent 10}}
 {{- end}}
-        securityContext:
-          readOnlyRootFilesystem: true
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-            add:
-            - NET_BIND_SERVICE
+        {{- $capabilities := dict "drop" (list "ALL") "add" (list "NET_BIND_SERVICE") -}}
+        {{- $securityDefaults := dict
+            "readOnlyRootFilesystem" true
+            "allowPrivilegeEscalation" false
+            "capabilities" $capabilities
+        }}
+        {{- if .Values.ingressProxy.deployment.runAsUser  -}}
+          {{- $_ := set $securityDefaults "runAsUser" .Values.ingressProxy.deployment.runAsUser }}
+        {{- end -}}
+        {{- include "gloo.containerSecurityContext" (dict "values" .Values.ingressProxy.deployment.ingressProxyContainerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 8) }}
         ports:
         - containerPort: {{ .Values.ingressProxy.deployment.httpPort }}
           name: http

diff --git a/install/helm/gloo/templates/14-clusteringress-proxy-deployment.yaml b/install/helm/gloo/templates/14-clusteringress-proxy-deployment.yaml
@@ -58,14 +58,13 @@ spec:
         resources:
 {{ toYaml .Values.settings.integrations.knative.proxy.resources | indent 10}}
 {{- end}}
-        securityContext:
-          readOnlyRootFilesystem: true
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-            add:
-            - NET_BIND_SERVICE
+        {{- $capabilities := dict "drop" (list "ALL") "add" (list "NET_BIND_SERVICE") -}}
+        {{- $securityDefaults := dict
+            "readOnlyRootFilesystem" true
+            "allowPrivilegeEscalation" false
+            "capabilities" $capabilities
+        }}
+        {{- include "gloo.containerSecurityContext" (dict "values" .Values.settings.integrations.knative.proxy.containerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 8) }}
         ports:
         - containerPort: {{ .Values.settings.integrations.knative.proxy.httpPort }}
           name: http

diff --git a/install/helm/gloo/templates/19-gloo-mtls-certgen-cronjob.yaml b/install/helm/gloo/templates/19-gloo-mtls-certgen-cronjob.yaml
@@ -44,11 +44,11 @@ spec:
             - image: {{template "gloo.image" $image}}
               imagePullPolicy: {{ $image.pullPolicy }}
               name: certgen
-              securityContext:
-                runAsNonRoot: true
-                {{- if not .Values.gateway.certGenJob.floatingUserId }}
-                runAsUser: {{ printf "%.0f" (float64 .Values.gateway.certGenJob.runAsUser) -}}
-                {{- end }}
+              {{- $securityDefaults := dict "runAsNonRoot" true }}
+              {{- if not .Values.gateway.certGenJob.floatingUserId }}
+                {{- $_ := set $securityDefaults "runAsUser" .Values.gateway.certGenJob.runAsUser }}
+              {{- end }}
+              {{- include "gloo.containerSecurityContext" (dict "values" .Values.gateway.certGenJob.containerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 14) }}
               {{- with .Values.gateway.certGenJob.resources }}
               resources: {{ toYaml . | nindent 16 }}
               {{- end }}

diff --git a/install/helm/gloo/templates/19-gloo-mtls-certgen-job.yaml b/install/helm/gloo/templates/19-gloo-mtls-certgen-job.yaml
@@ -52,11 +52,11 @@ spec:
         - image: {{template "gloo.image" $image}}
           imagePullPolicy: {{ $image.pullPolicy }}
           name: certgen
-          securityContext:
-            runAsNonRoot: true
-            {{- if not .Values.gateway.certGenJob.floatingUserId }}
-            runAsUser: {{ printf "%.0f" (float64 .Values.gateway.certGenJob.runAsUser) -}}
-            {{- end }}
+          {{- $securityDefaults := dict "runAsNonRoot" true }}
+          {{- if not .Values.gateway.certGenJob.floatingUserId }}
+            {{- $_ := set $securityDefaults "runAsUser" .Values.gateway.certGenJob.runAsUser }}
+          {{- end }}
+          {{- include "gloo.containerSecurityContext" (dict "values" .Values.gateway.certGenJob.containerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 10) }}
           {{- with .Values.gateway.certGenJob.resources }}
           resources: {{ toYaml . | nindent 12}}
           {{- end }}

diff --git a/install/helm/gloo/templates/26-knative-external-proxy-deployment.yaml b/install/helm/gloo/templates/26-knative-external-proxy-deployment.yaml
@@ -58,14 +58,16 @@ spec:
         resources:
 {{ toYaml .Values.settings.integrations.knative.proxy.resources | indent 10}}
 {{- end}}
-        securityContext:
-          readOnlyRootFilesystem: true
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-            add:
-            - NET_BIND_SERVICE
+        {{- $capabilities := dict "drop" (list "ALL") "add" (list "NET_BIND_SERVICE") -}}
+        {{- $securityDefaults := dict 
+            "readOnlyRootFilesystem" true
+            "allowPrivilegeEscalation" false
+            "capabilities" $capabilities
+        }}
+       {{- if .Values.settings.integrations.knative.proxy.runAsUser -}}
+          {{- $_ := set $securityDefaults "runAsUser" .Values.settings.integrations.knative.proxy.runAsUser }}
+        {{- end -}}
+        {{- include "gloo.containerSecurityContext" (dict "values" .Values.settings.integrations.knative.proxy.containerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 8) }}
         ports:
         - containerPort: {{ .Values.settings.integrations.knative.proxy.httpPort }}
           name: http

diff --git a/install/helm/gloo/templates/29-knative-internal-proxy-deployment.yaml b/install/helm/gloo/templates/29-knative-internal-proxy-deployment.yaml
@@ -58,14 +58,16 @@ spec:
         resources:
 {{ toYaml .Values.settings.integrations.knative.proxy.resources | indent 10}}
 {{- end}}
-        securityContext:
-          readOnlyRootFilesystem: true
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-            add:
-            - NET_BIND_SERVICE
+        {{- $capabilities := dict "drop" (list "ALL") "add" (list "NET_BIND_SERVICE") -}}
+        {{- $securityDefaults := dict
+            "readOnlyRootFilesystem" true
+            "allowPrivilegeEscalation" false
+            "capabilities" $capabilities
+        }}
+       {{- if .Values.settings.integrations.knative.proxy.runAsUser -}}
+          {{- $_ := set $securityDefaults "runAsUser" .Values.settings.integrations.knative.proxy.runAsUser }}
+        {{- end -}}
+        {{- include "gloo.containerSecurityContext" (dict "values" .Values.settings.integrations.knative.proxy.containerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 8) }}
         ports:
         - containerPort: {{ .Values.settings.integrations.knative.proxy.httpPort }}
           name: http

diff --git a/install/helm/gloo/templates/3-discovery-deployment.yaml b/install/helm/gloo/templates/3-discovery-deployment.yaml
@@ -58,16 +58,16 @@ spec:
 {{ toYaml .Values.discovery.deployment.resources | indent 10}}
 {{- end}}
         # container security context
-        securityContext:
-          readOnlyRootFilesystem: true
-          allowPrivilegeEscalation: false
-          runAsNonRoot: true
-          {{- if not .Values.discovery.deployment.floatingUserId }}
-          runAsUser: {{ printf "%.0f" (float64 .Values.discovery.deployment.runAsUser) -}}
-          {{- end }}
-          capabilities:
-            drop:
-            - ALL
+        {{- $capabilities := dict "drop" (list "ALL") -}}
+        {{- $securityDefaults := dict
+            "readOnlyRootFilesystem" true
+            "allowPrivilegeEscalation" false
+            "runAsNonRoot" true
+            "capabilities" $capabilities -}}
+        {{- if not .Values.discovery.deployment.floatingUserId -}}
+          {{- $_ := set $securityDefaults "runAsUser" .Values.discovery.deployment.runAsUser }}
+        {{- end -}}
+        {{- include "gloo.containerSecurityContext" (dict "values" .Values.discovery.deployment.discoveryContainerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 8) }}
         env:
 {{- if .Values.license_secret_name }}
           - name: GLOO_LICENSE_KEY

diff --git a/install/helm/gloo/templates/5-resource-cleanup-job.yaml b/install/helm/gloo/templates/5-resource-cleanup-job.yaml
@@ -44,11 +44,11 @@ spec:
         - name: kubectl
           image: {{template "gloo.image" $image}}
           imagePullPolicy: {{ $image.pullPolicy }}
-          securityContext:
-            runAsNonRoot: true
-            {{- if not .Values.gateway.cleanupJob.floatingUserId }}
-            runAsUser: {{ printf "%.0f" (float64 .Values.gateway.cleanupJob.runAsUser) -}}
-            {{- end }}
+          {{- $securityDefaults := dict "runAsNonRoot" true }}
+          {{- if not .Values.gateway.rolloutJob.floatingUserId -}}
+            {{- $_ := set $securityDefaults "runAsUser" .Values.gateway.rolloutJob.runAsUser }}
+          {{- end -}}
+          {{- include "gloo.containerSecurityContext" (dict "values" .Values.gateway.rolloutJob.containerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 10) }}
           {{- with .Values.gateway.cleanupJob.resources }}
           resources: {{ toYaml . | nindent 12}}
           {{- end }}

diff --git a/install/helm/gloo/templates/5-resource-migration-job.yaml b/install/helm/gloo/templates/5-resource-migration-job.yaml
@@ -44,11 +44,11 @@ spec:
         - name: kubectl
           image: {{template "gloo.image" $image}}
           imagePullPolicy: {{ $image.pullPolicy }}
-          securityContext:
-            runAsNonRoot: true
-            {{- if not .Values.gateway.rolloutJob.floatingUserId }}
-            runAsUser: {{ printf "%.0f" (float64 .Values.gateway.rolloutJob.runAsUser) -}}
-            {{- end }}
+          {{- $securityDefaults := dict "runAsNonRoot" true }}
+          {{- if not .Values.gateway.rolloutJob.floatingUserId -}}
+            {{- $_ := set $securityDefaults "runAsUser" .Values.gateway.rolloutJob.runAsUser }}
+          {{- end -}}
+          {{- include "gloo.containerSecurityContext" (dict "values" .Values.gateway.rolloutJob.containerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 10) }}
           {{- with .Values.gateway.rolloutJob.resources }}
           resources: {{ toYaml . | nindent 12}}
           {{- end }}

diff --git a/install/helm/gloo/templates/5-resource-rollout-check-job.yaml b/install/helm/gloo/templates/5-resource-rollout-check-job.yaml
@@ -71,11 +71,11 @@ spec:
           volumeMounts:
             - name: custom-resource-config-volume
               mountPath: /etc/gloo-custom-resources
-          securityContext:
-            runAsNonRoot: true
-            {{- if not .Values.gateway.rolloutJob.floatingUserId }}
-            runAsUser: {{ printf "%.0f" (float64 .Values.gateway.rolloutJob.runAsUser) -}}
-            {{- end }}
+          {{- $securityDefaults := dict "runAsNonRoot" true }}
+          {{- if not .Values.gateway.rolloutJob.floatingUserId -}}
+            {{- $_ := set $securityDefaults "runAsUser" .Values.gateway.rolloutJob.runAsUser }}
+          {{- end -}}
+          {{- include "gloo.containerSecurityContext" (dict "values" .Values.gateway.rolloutJob.containerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 10) }}
           {{- with .Values.gateway.rolloutJob.resources }}
           resources: {{ toYaml . | nindent 12}}
           {{- end }}

diff --git a/install/helm/gloo/templates/5-resource-rollout-cleanup-job.yaml b/install/helm/gloo/templates/5-resource-rollout-cleanup-job.yaml
@@ -44,11 +44,11 @@ spec:
         - name: kubectl
           image: {{template "gloo.image" $image}}
           imagePullPolicy: {{ $image.pullPolicy }}
-          securityContext:
-            runAsNonRoot: true
-            {{- if not .Values.gateway.rolloutJob.floatingUserId }}
-            runAsUser: {{ printf "%.0f" (float64 .Values.gateway.rolloutJob.runAsUser) -}}
-            {{- end }}
+          {{- $securityDefaults := dict "runAsNonRoot" true }}
+          {{- if not .Values.gateway.rolloutJob.floatingUserId -}}
+            {{- $_ := set $securityDefaults "runAsUser" .Values.gateway.rolloutJob.runAsUser }}
+          {{- end -}}
+          {{- include "gloo.containerSecurityContext" (dict "values" .Values.gateway.rolloutJob.containerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 10) }}
           {{- with .Values.gateway.rolloutJob.resources }}
           resources: {{ toYaml . | nindent 12}}
           {{- end }}

diff --git a/install/helm/gloo/templates/5-resource-rollout-job.yaml b/install/helm/gloo/templates/5-resource-rollout-job.yaml
@@ -74,11 +74,11 @@ spec:
           volumeMounts:
             - name: custom-resource-config-volume
               mountPath: /etc/gloo-custom-resources
-          securityContext:
-            runAsNonRoot: true
-            {{- if not .Values.gateway.rolloutJob.floatingUserId }}
-            runAsUser: {{ printf "%.0f" (float64 .Values.gateway.rolloutJob.runAsUser) -}}
-            {{- end }}
+          {{- $securityDefaults := dict "runAsNonRoot" true }}
+          {{- if not .Values.gateway.rolloutJob.floatingUserId -}}
+            {{- $_ := set $securityDefaults "runAsUser" .Values.gateway.rolloutJob.runAsUser }}
+          {{- end -}}
+          {{- include "gloo.containerSecurityContext" (dict "values" .Values.gateway.rolloutJob.containerSecurityContext "defaults" $securityDefaults "podSecurityStandards" .Values.global.podSecurityStandards "indent" 10) }}
           {{- with .Values.gateway.rolloutJob.resources }}
           resources: {{ toYaml . | nindent 12}}
           {{- end }}

diff --git a/install/helm/gloo/templates/6-access-logger-deployment.yaml b/install/helm/gloo/templates/6-access-logger-deployment.yaml
@@ -57,6 +57,7 @@ spec:
         - image: {{ template "gloo.image" $image }}
           imagePullPolicy: {{ $image.pullPolicy }}
           name: access-logger
+          {{- include "gloo.containerSecurityContext" (dict "values" .Values.accessLogger.accessLoggerContainerSecurityContext "defaults" (dict) "podSecurityStandards" .Values.global.podSecurityStandards "indent" 10) }}
 {{- if .Values.accessLogger.resources }}
           resources:
 {{ toYaml .Values.accessLogger.resources | indent 12}}