Merge #176

176: feat: Add support of securityContext r=alallema a=legal90 # Pull Request ## Related issue _None_ ## What does this PR do? This PRs implements a support of `securityContext` on both container and pod level: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ That allows to enforce security settings, such as `allowPrivilegeEscalation`, `readOnlyRootFilesystem ` and others. Default settings are verified as working "out of box". `readOnlyRootFilesystem: true` could be enabled on installations where `persistence.enabled` is set to true and `/tmp` is mounted as read-write volume (for example, as `emptyDir: {}`) ## PR checklist Please check if your PR fulfills the following requirements: - [x] Does this PR fix an existing issue, or have you listed the changes applied in the PR description (and why they are needed)? - [x] Have you read the contributing guidelines? - [x] Have you made sure that the title is accurate and descriptive of the changes? Co-authored-by: Mikhail Zholobov <legal90@gmail.com> Co-authored-by: Amélie <alallema@users.noreply.github.com>
meilisearch · Jun 8, 2023 · b9862ea · b9862ea
2 parents 14772a7 + b64fdb7
commit b9862ea
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 3 deletions.
diff --git a/charts/meilisearch/Chart.yaml b/charts/meilisearch/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "v1.2.0"
 description: A Helm chart for the Meilisearch search engine
 name: meilisearch
-version: 0.1.56
+version: 0.1.57
 icon: https://res.cloudinary.com/meilisearch/image/upload/v1597822872/Logo/logo_img.svg
 home: https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch
 maintainers:

diff --git a/charts/meilisearch/README.md b/charts/meilisearch/README.md
@@ -2,7 +2,7 @@
 
 A Helm chart for the Meilisearch search engine
 
-![Version: 0.1.56](https://img.shields.io/badge/Version-0.1.56-informational?style=flat-square) ![AppVersion: v1.2.0](https://img.shields.io/badge/AppVersion-v1.2.0-informational?style=flat-square)
+![Version: 0.1.57](https://img.shields.io/badge/Version-0.1.57-informational?style=flat-square) ![AppVersion: v1.2.0](https://img.shields.io/badge/AppVersion-v1.2.0-informational?style=flat-square)
 
 Helm works as a package manager to run pre-configured Kubernetes resources.
 
@@ -87,10 +87,13 @@ You can also use `auth.existingMasterKeySecret` to use an existing secret that h
 | persistence.volume.mountPath | string | `"/meili_data"` |  |
 | persistence.volume.name | string | `"data"` |  |
 | podAnnotations | object | `{}` |  |
+| podSecurityContext | object | `{}` |  |
 | readinessProbe.InitialDelaySeconds | int | `0` |  |
 | readinessProbe.periodSeconds | int | `10` |  |
 | replicaCount | int | `1` | Number of Meilisearch pods to run |
 | resources | object | `{}` | Resources allocation (Requests and Limits) |
+| securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| securityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | service | object | `{"annotations":{},"port":7700,"type":"ClusterIP"}` | Service HTTP port |
 | service.annotations | object | `{}` | Additional annotations for service |
 | service.type | string | `"ClusterIP"` | Kubernetes Service type |

diff --git a/charts/meilisearch/templates/statefulset.yaml b/charts/meilisearch/templates/statefulset.yaml
@@ -25,6 +25,10 @@ spec:
       imagePullSecrets:
         - name: {{ .Values.image.pullSecret }}
       {{- end }}
+      {{- if .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- end }}
       {{- if or .Values.persistence.enabled .Values.volumes }}
       volumes:
         {{- if .Values.persistence.enabled }}
@@ -40,6 +44,8 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+{{ toYaml .Values.securityContext | indent 12 }}
           {{- if or .Values.persistence.enabled .Values.volumeMounts }}
           volumeMounts:
             {{- if .Values.persistence.enabled }}

diff --git a/charts/meilisearch/values.yaml b/charts/meilisearch/values.yaml
@@ -78,6 +78,15 @@ service:
 container:
   containerPort: 7700
 
+podSecurityContext: {}
+
+securityContext:
+  capabilities:
+    drop:
+      - ALL
+  allowPrivilegeEscalation: false
+  # readOnlyRootFilesystem: true
+
 ingress:
   # -- Enable ingress controller resource
   enabled: false

diff --git a/manifests/meilisearch.yaml b/manifests/meilisearch.yaml
@@ -75,13 +75,18 @@ spec:
         app.kubernetes.io/component: search-engine
         app.kubernetes.io/part-of: meilisearch
       annotations:
-        checksum/config: 6f8c0a50a22feeb157b65cae3b297c42440124f48c9ce7f61af14696f4ec4d3a
+        checksum/config: 8893d8dad5cbf7ebfb0b70bb8b3214939bb540fb6fb780f39b2f3fb0d4b52d6f
     spec:
       serviceAccountName: meilisearch
       containers:
         - name: meilisearch
           image: "getmeili/meilisearch:v1.2.0"
           imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
           envFrom:
           - configMapRef:
               name: meilisearch-environment