Support pod.spec.containers.securityContext specification

This PR attempts to close #116 Following the valeriano-manassero's implementation, https://github.com/valeriano-manassero/helm-charts/blob/6382a14272927a908bc006d0f1370ba9dffc821f/valeriano-manassero/trino/values.yaml#L467-L471 let me Support `pod.spec.containers.securityContext` specification
trinodb · Mar 14, 2024 · e4b9174 · e4b9174
1 parent 2117df8
commit e4b9174
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 0 deletions.
diff --git a/charts/trino/README.md b/charts/trino/README.md
@@ -49,6 +49,8 @@ The following table lists the configurable parameters of the Trino chart and the
 | `sidecarContainers` |  | `{}` |
 | `securityContext.runAsUser` |  | `1000` |
 | `securityContext.runAsGroup` |  | `1000` |
+| `containerSecurityContext.allowPrivilegeEscalation` | Control whether a process can gain more privileges than its parent process. | `false` |
+| `containerSecurityContext.capabilities.drop` | List of Linux kernel capabilities that are dropped from every container. You can confirm the options for "capabilities" here:　https://man7.org/linux/man-pages/man7/capabilities.7.html  Please make sure to remove "CAP_" prefix which the kernel attaches to the names of permissions. | `["ALL"]` |
 | `shareProcessNamespace.coordinator` |  | `false` |
 | `shareProcessNamespace.worker` |  | `false` |
 | `service.type` |  | `"ClusterIP"` |

diff --git a/charts/trino/templates/deployment-coordinator.yaml b/charts/trino/templates/deployment-coordinator.yaml
@@ -104,6 +104,8 @@ spec:
         - name: {{ .Chart.Name }}-coordinator
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
           env:
             {{- toYaml .Values.env | nindent 12 }}
           envFrom:

diff --git a/charts/trino/templates/deployment-worker.yaml b/charts/trino/templates/deployment-worker.yaml
@@ -80,6 +80,8 @@ spec:
         - name: {{ .Chart.Name }}-worker
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
           env:
             {{- toYaml .Values.env | nindent 12 }}
           envFrom:

diff --git a/charts/trino/values.yaml b/charts/trino/values.yaml
@@ -218,6 +218,13 @@ securityContext:
   runAsUser: 1000
   runAsGroup: 1000
 
+# -- SecurityContext configuration for containers
+containerSecurityContext:
+  allowPrivilegeEscalation: false  #  Control whether a process can gain more privileges than its parent process.
+  capabilities:
+    drop:  # List of Linux kernel capabilities that are dropped from every container. You can confirm the options for "capabilities" here:　https://man7.org/linux/man-pages/man7/capabilities.7.html  Please make sure to remove "CAP_" prefix which the kernel attaches to the names of permissions.
+      - ALL
+
 shareProcessNamespace:
   coordinator: false
   worker: false