operator: added default security context

charts/victoria-metrics-common/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 type: library
 description: Victoria Metrics Common - contains shared templates for all Victoria Metrics helm charts
 name: victoria-metrics-common
-version: 0.0.37
+version: 0.0.38
 sources:
   - https://github.com/VictoriaMetrics/helm-charts
 kubeVersion: ">=1.23.0-0"

charts/victoria-metrics-common/templates/_pod.tpl

@@ -24,16 +24,13 @@ Usage:
 {{- include "vm.securityContext" (dict "securityContext" .Values.containerSecurityContext "helm" .) -}}
 */ -}}
 {{- define "vm.securityContext" -}}
-  {{- $securityContext := .securityContext -}}
+  {{- $securityContext := omit .securityContext "enabled" -}}
   {{- $Values := (.helm).Values | default .Values -}}
   {{- $adaptMode := (((($Values).global).compatibility).openshift).adaptSecurityContext | default "" -}}
   {{- if or (eq $adaptMode "force") (and (eq $adaptMode "auto") (include "vm.isOpenshift" .)) -}}
-    {{- $securityContext = omit $securityContext "fsGroup" "runAsUser" "runAsGroup" -}}
-    {{- if not $securityContext.seLinuxOptions -}}
-      {{- $securityContext = omit $securityContext "seLinuxOptions" -}}
-    {{- end -}}
+    {{- $securityContext = omit $securityContext "fsGroup" "runAsUser" "runAsGroup" "seLinuxOptions" -}}
   {{- end -}}
-  {{- omit $securityContext "enabled" | toYaml -}}
+  {{- toYaml $securityContext -}}
 {{- end -}}
 
 {{- /*

charts/victoria-metrics-operator/values.yaml

@@ -92,10 +92,18 @@ annotations: {}
 # -- Pod's security context. Details are [here](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
 podSecurityContext:
   enabled: true
+  fsGroup: 2000
+  runAsNonRoot: true
+  runAsUser: 1000
 
 # -- Security context to be added to server pods
 securityContext:
   enabled: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
 
 operator:
   # -- By default, operator converts prometheus-operator objects.