Skip to content

Commit

Permalink
Support pod.spec.containers.securityContext specification
Browse files Browse the repository at this point in the history
This PR attempts to close #116

Following the valeriano-manassero's implementation,
https://github.com/valeriano-manassero/helm-charts/blob/6382a14272927a908bc006d0f1370ba9dffc821f/valeriano-manassero/trino/values.yaml#L467-L471

let me Support `pod.spec.containers.securityContext`  specification
  • Loading branch information
LittleWat committed Mar 14, 2024
1 parent 2117df8 commit e4b9174
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 0 deletions.
2 changes: 2 additions & 0 deletions charts/trino/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@ The following table lists the configurable parameters of the Trino chart and the
| `sidecarContainers` | | `{}` |
| `securityContext.runAsUser` | | `1000` |
| `securityContext.runAsGroup` | | `1000` |
| `containerSecurityContext.allowPrivilegeEscalation` | Control whether a process can gain more privileges than its parent process. | `false` |
| `containerSecurityContext.capabilities.drop` | List of Linux kernel capabilities that are dropped from every container. You can confirm the options for "capabilities" here: https://man7.org/linux/man-pages/man7/capabilities.7.html Please make sure to remove "CAP_" prefix which the kernel attaches to the names of permissions. | `["ALL"]` |
| `shareProcessNamespace.coordinator` | | `false` |
| `shareProcessNamespace.worker` | | `false` |
| `service.type` | | `"ClusterIP"` |
Expand Down
2 changes: 2 additions & 0 deletions charts/trino/templates/deployment-coordinator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,8 @@ spec:
- name: {{ .Chart.Name }}-coordinator
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
env:
{{- toYaml .Values.env | nindent 12 }}
envFrom:
Expand Down
2 changes: 2 additions & 0 deletions charts/trino/templates/deployment-worker.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,8 @@ spec:
- name: {{ .Chart.Name }}-worker
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
env:
{{- toYaml .Values.env | nindent 12 }}
envFrom:
Expand Down
7 changes: 7 additions & 0 deletions charts/trino/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,13 @@ securityContext:
runAsUser: 1000
runAsGroup: 1000

# -- SecurityContext configuration for containers
containerSecurityContext:
allowPrivilegeEscalation: false # Control whether a process can gain more privileges than its parent process.
capabilities:
drop: # List of Linux kernel capabilities that are dropped from every container. You can confirm the options for "capabilities" here: https://man7.org/linux/man-pages/man7/capabilities.7.html Please make sure to remove "CAP_" prefix which the kernel attaches to the names of permissions.
- ALL

shareProcessNamespace:
coordinator: false
worker: false
Expand Down

0 comments on commit e4b9174

Please sign in to comment.