feat(capacitor): add default securityContext (#108)

Signed-off-by: Sebastian Gaiser <sebastiangaiser@users.noreply.github.com>
sebastiangaiser · Jan 18, 2025 · b13ea26 · b13ea26
1 parent 4341e33
commit b13ea26
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 4 deletions.
diff --git a/charts/capacitor/Chart.yaml b/charts/capacitor/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: capacitor
 description: A Helm chart for deploying capacitor, a general purpose UI for FluxCD
 type: application
-version: 0.1.5
+version: 0.2.0
 # renovate: image=ghcr.io/gimlet-io/capacitor
 appVersion: v0.4.8
 maintainers:

diff --git a/charts/capacitor/README.md b/charts/capacitor/README.md
@@ -1,6 +1,6 @@
 # capacitor
 
-![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.8](https://img.shields.io/badge/AppVersion-v0.4.8-informational?style=flat-square)
+![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.8](https://img.shields.io/badge/AppVersion-v0.4.8-informational?style=flat-square)
 
 A Helm chart for deploying capacitor, a general purpose UI for FluxCD
 
@@ -29,6 +29,7 @@ Check the values how to configure the flavor.
 | networkPolicy.flavor | string | `"kubernetes"` | kubernetes |
 | nodeSelector | object | `{}` | Node selectors |
 | podAnnotations | object | `{}` |  |
+| podSecurityContext | object | `{}` | Pod security context |
 | readinessProbe | object | `{"failureThreshold":3,"httpGet":{"path":"/","port":9000,"scheme":"HTTP"},"initialDelaySeconds":0,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":3}` | Readiness probe |
 | replicaCount | int | `1` |  |
 | resources | object | `{"requests":{"cpu":"200m","memory":"200Mi"}}` | Resources |

diff --git a/charts/capacitor/templates/deployment.yaml b/charts/capacitor/templates/deployment.yaml
@@ -27,6 +27,8 @@ spec:
       serviceAccountName: {{ include "capacitor.serviceAccountName" . }}
       securityContext:
         fsGroup: 999
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: capacitor
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -45,9 +47,20 @@ spec:
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-          {{- with .Values.securityContext }}
+          {{- if .Values.securityContext }}
           securityContext:
-            {{- toYaml . | nindent 12 }}
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- else }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 65534
+            seccompProfile:
+              type: RuntimeDefault
           {{- end }}
           {{- with .Values.nodeSelector }}
       nodeSelector:

diff --git a/charts/capacitor/values.yaml b/charts/capacitor/values.yaml
@@ -22,6 +22,9 @@ image:
 # -- Security context
 securityContext: {}
 
+# -- Pod security context
+podSecurityContext: {}
+
 # -- Liveness probe
 livenessProbe: {}