add support for modifying securityContext for code executor (#152)

tryretool · Feb 22, 2024 · 7684ef7 · 7684ef7
1 parent 0d75b38
commit 7684ef7
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 1 deletion.
diff --git a/charts/retool/Chart.yaml b/charts/retool/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: retool
 description: A Helm chart for Kubernetes
 type: application
-version: 6.0.16
+version: 6.0.17
 maintainers:
   - name: Retool Engineering
     email: engineering+helm@retool.com

diff --git a/charts/retool/templates/deployment_code_executor.yaml b/charts/retool/templates/deployment_code_executor.yaml
@@ -53,7 +53,11 @@ spec:
         image: "{{ .Values.codeExecutor.image.repository }}:{{ include "retool.codeExecutor.image.tag" . }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         securityContext:
+          {{ if .Values.codeExecutor.securityContext }}
+{{ toYaml .Values.codeExecutor.securityContext | indent 10 }}
+          {{ else }}
           privileged: true
+          {{ end }}
         env:
           - name: DEPLOYMENT_TEMPLATE_TYPE
             value: {{ template "retool.deploymentTemplateType" . }}

diff --git a/charts/retool/values.yaml b/charts/retool/values.yaml
@@ -440,6 +440,12 @@ codeExecutor:
       cpu: 1000m
       memory: 1024Mi
 
+  # code executor uses nsjail to sandbox code execution. nsjail requires privileged container access.
+  # If your deployment does not support privileged access, you can set `privileged` to false to not
+  # use nsjail. Without nsjail, all code is run without sandboxing within your deployment.
+  securityContext:
+    privileged: true
+
   image:
     repository: tryretool/code-executor-service
     # defaults to image.tag if >= 3.20.15, otherwise defaults to 1.1.0; explicitly set to override.

diff --git a/values.yaml b/values.yaml
@@ -440,6 +440,12 @@ codeExecutor:
       cpu: 1000m
       memory: 1024Mi
 
+  # code executor uses nsjail to sandbox code execution. nsjail requires privileged container access.
+  # If your deployment does not support privileged access, you can set `privileged` to false to not
+  # use nsjail. Without nsjail, all code is run without sandboxing within your deployment.
+  securityContext:
+    privileged: true
+
   image:
     repository: tryretool/code-executor-service
     # defaults to image.tag if >= 3.20.15, otherwise defaults to 1.1.0; explicitly set to override.