diff --git a/docs/pages/includes/helm-reference/zz_generated.tbot.mdx b/docs/pages/includes/helm-reference/zz_generated.tbot.mdx index 650fe1dec8259..dbd447246fc28 100644 --- a/docs/pages/includes/helm-reference/zz_generated.tbot.mdx +++ b/docs/pages/includes/helm-reference/zz_generated.tbot.mdx @@ -433,3 +433,15 @@ extraEnv: - name: HTTPS_PROXY value: "http://username:password@my.proxy.host:3128" ``` + +## `securityContext` + +| Type | Default | +|------|---------| +| `object` | `null` | + +`securityContext` sets the container security context for any pods created by the chart. +See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) +for more details. + +By default, this is unset. diff --git a/examples/chart/tbot/.lint/full.yaml b/examples/chart/tbot/.lint/full.yaml index 9d076782b506e..6e555c8a9a726 100644 --- a/examples/chart/tbot/.lint/full.yaml +++ b/examples/chart/tbot/.lint/full.yaml @@ -98,3 +98,14 @@ extraArgs: extraEnv: - name: "TEST_ENV" value: "test-value" + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + seccompProfile: + type: RuntimeDefault diff --git a/examples/chart/tbot/templates/deployment.yaml b/examples/chart/tbot/templates/deployment.yaml index 8246f62deb566..64270a303e113 100644 --- a/examples/chart/tbot/templates/deployment.yaml +++ b/examples/chart/tbot/templates/deployment.yaml @@ -101,6 +101,9 @@ spec: {{- end }} {{- if .Values.resources }} resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 12 }} {{- end }} ports: - containerPort: 3001 diff --git a/examples/chart/tbot/tests/__snapshot__/deployment_test.yaml.snap b/examples/chart/tbot/tests/__snapshot__/deployment_test.yaml.snap index d3ec33b9f928b..d4c02f90e64a4 100644 --- a/examples/chart/tbot/tests/__snapshot__/deployment_test.yaml.snap +++ b/examples/chart/tbot/tests/__snapshot__/deployment_test.yaml.snap @@ -98,6 +98,16 @@ should match the snapshot (full): requests: cpu: 250m memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /config name: config diff --git a/examples/chart/tbot/values.yaml b/examples/chart/tbot/values.yaml index 680fda9d1a7fb..ebc70b6a6dc4f 100644 --- a/examples/chart/tbot/values.yaml +++ b/examples/chart/tbot/values.yaml @@ -226,4 +226,11 @@ extraArgs: [] # - name: HTTPS_PROXY # value: "http://username:password@my.proxy.host:3128" # ``` -extraEnv: [] \ No newline at end of file +extraEnv: [] + +# securityContext(object) -- sets the container security context for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) +# for more details. +# +# By default, this is unset. +securityContext: null