From d02c2f6f7dca5457206e00a5a265b64187fa5819 Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Thu, 9 Oct 2025 11:29:55 +0100 Subject: [PATCH 1/3] Add support for configuring podSecurityPolicy to tbot helm chart --- examples/chart/tbot/.lint/full.yaml | 4 ++++ examples/chart/tbot/templates/deployment.yaml | 3 +++ .../tbot/tests/__snapshot__/deployment_test.yaml.snap | 3 +++ examples/chart/tbot/values.yaml | 7 +++++++ 4 files changed, 17 insertions(+) diff --git a/examples/chart/tbot/.lint/full.yaml b/examples/chart/tbot/.lint/full.yaml index 6e555c8a9a726..5723d7221e0f5 100644 --- a/examples/chart/tbot/.lint/full.yaml +++ b/examples/chart/tbot/.lint/full.yaml @@ -109,3 +109,7 @@ securityContext: runAsUser: 9807 seccompProfile: type: RuntimeDefault + +podSecurityContext: + runAsUser: 1000 + runAsGroup: 3000 \ No newline at end of file diff --git a/examples/chart/tbot/templates/deployment.yaml b/examples/chart/tbot/templates/deployment.yaml index 64270a303e113..e98cf3bd2da26 100644 --- a/examples/chart/tbot/templates/deployment.yaml +++ b/examples/chart/tbot/templates/deployment.yaml @@ -46,6 +46,9 @@ spec: {{- end }} {{- if .Values.tolerations }} tolerations: {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.podSecurityContext }} + securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- end }} containers: - name: tbot diff --git a/examples/chart/tbot/tests/__snapshot__/deployment_test.yaml.snap b/examples/chart/tbot/tests/__snapshot__/deployment_test.yaml.snap index 24ea5ada9c436..35468d774217c 100644 --- a/examples/chart/tbot/tests/__snapshot__/deployment_test.yaml.snap +++ b/examples/chart/tbot/tests/__snapshot__/deployment_test.yaml.snap @@ -119,6 +119,9 @@ should match the snapshot (full): - name: test-pull-secret nodeSelector: test-key: test-node-selector + securityContext: + runAsGroup: 3000 + runAsUser: 1000 serviceAccountName: modified-sa-name tolerations: - effect: NoSchedule diff --git a/examples/chart/tbot/values.yaml b/examples/chart/tbot/values.yaml index a17df319cad6c..10894417f0f0c 100644 --- a/examples/chart/tbot/values.yaml +++ b/examples/chart/tbot/values.yaml @@ -283,3 +283,10 @@ extraEnv: [] # # By default, this is unset. securityContext: null + +# podSecurityContext(object) -- sets the pod security context for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +# for more details. +# +# By default, this is unset. +podSecurityContext: null From cf054bd34dfcc036e90204df16a7082ca952f5e1 Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Thu, 9 Oct 2025 13:18:00 +0100 Subject: [PATCH 2/3] whitespace --- examples/chart/tbot/.lint/full.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/chart/tbot/.lint/full.yaml b/examples/chart/tbot/.lint/full.yaml index 5723d7221e0f5..6e7a0a1711588 100644 --- a/examples/chart/tbot/.lint/full.yaml +++ b/examples/chart/tbot/.lint/full.yaml @@ -112,4 +112,4 @@ securityContext: podSecurityContext: runAsUser: 1000 - runAsGroup: 3000 \ No newline at end of file + runAsGroup: 3000 From 5387e88129d9aa011dc93b1d706f6008b074644c Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Thu, 9 Oct 2025 13:25:30 +0100 Subject: [PATCH 3/3] Update documentation with now field --- .../includes/helm-reference/zz_generated.tbot.mdx | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/pages/includes/helm-reference/zz_generated.tbot.mdx b/docs/pages/includes/helm-reference/zz_generated.tbot.mdx index b9f5e385d11c2..18415c842586f 100644 --- a/docs/pages/includes/helm-reference/zz_generated.tbot.mdx +++ b/docs/pages/includes/helm-reference/zz_generated.tbot.mdx @@ -557,3 +557,15 @@ See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-po for more details. By default, this is unset. + +## `podSecurityContext` + +| Type | Default | +|------|---------| +| `object` | `null` | + +`podSecurityContext` sets the pod security context for any pods created by the chart. +See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +for more details. + +By default, this is unset.