diff --git a/helm/kanister-operator/templates/deployment.yaml b/helm/kanister-operator/templates/deployment.yaml index a560e5d0a6..e447296777 100644 --- a/helm/kanister-operator/templates/deployment.yaml +++ b/helm/kanister-operator/templates/deployment.yaml @@ -14,6 +14,10 @@ spec: labels: {{ include "kanister-operator.helmLabels" . | indent 8}} spec: +{{- if .Values.controller.podSecurityContext }} + securityContext: +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} +{{- end }} serviceAccountName: {{ template "kanister-operator.serviceAccountName" . }} {{- if or .Values.bpValidatingWebhook.enabled .Values.validatingWebhook.repositoryserver.enabled }} volumes: @@ -29,6 +33,8 @@ spec: - name: {{ template "kanister-operator.fullname" . }} image: {{ .Values.image.repository }}:{{ .Values.image.tag }} imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: +{{ include "controller.containerSecurityContext" . }} {{- if .Values.bpValidatingWebhook.enabled }} volumeMounts: - name: webhook-certs @@ -53,6 +59,8 @@ spec: - name: {{ template "repository-server-controller.name" . }} image: {{ .Values.repositoryServerControllerImage.registry }}/{{ .Values.repositoryServerControllerImage.name }}:{{ .Values.repositoryServerControllerImage.tag }} imagePullPolicy: {{ .Values.repositoryServerControllerImage.pullPolicy }} + securityContext: +{{ include "controller.containerSecurityContext" . }} {{- if .Values.validatingWebhook.repositoryserver.enabled }} volumeMounts: - name: webhook-certs diff --git a/helm/kanister-operator/values.yaml b/helm/kanister-operator/values.yaml index e6967d08b2..9c94cfd6aa 100644 --- a/helm/kanister-operator/values.yaml +++ b/helm/kanister-operator/values.yaml @@ -36,6 +36,20 @@ controller: # false : kanister-prometheus framework has been disabled # true: kanister-prometheus framework has been enabled enabled: false + # Pod-level security context settings + podSecurityContext: + runAsUser: 1000 + fsGroup: 2000 + runAsNonRoot: true + + # Container-level security context settings + containerSecurityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false dataStore: parallelism: upload: 8 @@ -88,4 +102,4 @@ tolerations: [] # value: "true" # # node labels for pod assignment. Evaluated as template -nodeSelector: {} +nodeSelector: {} \ No newline at end of file