Add additional security options to daemonset chart (closes #62)

snowplow-devops · Sep 29, 2022 · be85ffe · be85ffe
1 parent 67744d9
commit be85ffe
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 0 deletions.
diff --git a/charts/daemonset/README.md b/charts/daemonset/README.md
@@ -60,6 +60,10 @@ helm delete daemonset
 | config.args | list | `[]` |  |
 | config.env | string | `nil` | Map of environment variables to use within the job |
 | config.secrets | object | `{}` | Map of secrets that will be exposed as environment variables within the job |
+| config.securityContext | object | `{}` | Map of securityContext object applied to pods |
+| config.hostPIDAccess | bool | `false` | Allow pods access to host process information |
+| config.hostNetworkAccess | bool | `false` | Allow pods access to host network |
+| config.dnsPolicy | object | `"Default"` | DNS Policy for pods |
 | configMaps | list | `[]` | List of config maps to mount to the deployment |
 | daemonsetAnnotations | object | `{}` | Annotations to be applied to the daemonset |
 | hostPaths | list | `[]` | List of host paths to mount to the deployment |

diff --git a/charts/daemonset/templates/daemonset.yaml b/charts/daemonset/templates/daemonset.yaml
@@ -27,6 +27,9 @@ spec:
         {{- end }}
     spec:
       enableServiceLinks: false
+      hostPID: {{ .Values.config.hostPIDAccess | default "false" }}
+      hostNetwork: {{ .Values.config.hostNetworkAccess | default "false" }}
+      dnsPolicy: {{ .Values.config.dnsPolicy | default "Default" }}
 
       {{- if .Values.cloudserviceaccount.deploy }}
       serviceAccountName: {{ .Values.cloudserviceaccount.name }}
@@ -95,6 +98,11 @@ spec:
             name: {{ include "app.secret.fullname" . }}
         {{- end }}
 
+        {{- if .Values.config.securityContext  }}
+        securityContext:
+          {{- toYaml $.Values.config.securityContext | nindent 10 }}
+        {{- end  }}
+
         resources:
           {{- toYaml .Values.resources | nindent 10 }}
 

diff --git a/charts/daemonset/values.yaml b/charts/daemonset/values.yaml
@@ -28,6 +28,23 @@ config:
   secrets: {}
   #  username: "password"
 
+  # -- Map of securityContext object applied to pods (https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
+  securityContext: {}
+  #  readOnlyRootFilesystem: true
+  #  privileged: false
+  #  capabilities:
+  #    add:
+  #    - NET_ADMIN
+
+  # -- Allow pods access to host proccess information
+  hostPIDAccess: false
+
+  # -- Allow pods access to host network ()
+  hostNetworkAccess: false
+
+  # -- DNS Policy for pods (https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/)
+  dnsPolicy: Default
+
 # -- List of config maps to mount to the deployment
 configMaps: []
 #  - name: "volume-1"