be able to supply your own security context for operator and server c…

…ontainers (kiali#166) * be able to supply your own security context for operator and server pods fixes: kiali/kiali#5455 * be able to ignore a user's attempt to override portions of the securityContext
jmazzitelli · Sep 16, 2022 · ec0eb75 · ec0eb75
1 parent 955c7d2
commit ec0eb75
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 0 deletions.
diff --git a/kiali-operator/templates/deployment.yaml b/kiali-operator/templates/deployment.yaml
@@ -45,12 +45,16 @@ spec:
         - "--zap-log-level=info"
         - "--leader-election-id={{ include "kiali-operator.fullname" . }}"
         securityContext:
+        {{- if .Values.securityContext }}
+        {{- toYaml .Values.securityContext | nindent 10 }}
+        {{- else }}
           allowPrivilegeEscalation: false
           privileged: false
           runAsNonRoot: true
           capabilities:
             drop:
             - ALL
+        {{- end }}
         volumeMounts:
         - mountPath: /tmp/ansible-operator/runner
           name: runner
@@ -69,6 +73,8 @@ spec:
           value: {{ .Values.allowAdHocKialiNamespace | quote }}
         - name: ALLOW_AD_HOC_KIALI_IMAGE
           value: {{ .Values.allowAdHocKialiImage | quote }}
+        - name: ALLOW_SECURITY_CONTEXT_OVERRIDE
+          value: {{ .Values.allowSecurityContextOverride | quote }}
         - name: PROFILE_TASKS_TASK_OUTPUT_LIMIT
           value: "100"
         - name: ANSIBLE_DEBUG_LOGS

diff --git a/kiali-operator/values.yaml b/kiali-operator/values.yaml
@@ -20,6 +20,7 @@ resources:
 affinity: {}
 replicaCount: 1
 priorityClassName: ""
+securityContext: {}
 
 # metrics.enabled: set to true if you want Prometheus to collect metrics from the operator
 metrics:
@@ -67,6 +68,11 @@ allowAdHocKialiNamespace: true
 # You may want to disable this if you do not want users to install their own Kiali images.
 allowAdHocKialiImage: false
 
+# allowSecurityContextOverride tells the operator to allow a user to be able to fully override the Kiali
+# container securityContext. If this is false, certain securityContext settings must exist on the Kiali
+# container and any attempt to override them will be ignored.
+allowSecurityContextOverride: false
+
 # For what a Kiali CR spec can look like, see:
 # https://github.com/kiali/kiali-operator/blob/master/deploy/kiali/kiali_cr.yaml
 cr:

diff --git a/kiali-server/templates/deployment.yaml b/kiali-server/templates/deployment.yaml
@@ -61,13 +61,17 @@ spec:
         - "-config"
         - "/kiali-configuration/config.yaml"
         securityContext:
+        {{- if .Values.deployment.security_context}}
+        {{- toYaml .Values.deployment.security_context | nindent 10 }}
+        {{- else }}
           allowPrivilegeEscalation: false
           privileged: false
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           capabilities:
             drop:
             - ALL
+        {{- end }}
         ports:
         - name: api-port
           containerPort: {{ .Values.server.port | default 20001 }}

diff --git a/kiali-server/values.yaml b/kiali-server/values.yaml
@@ -70,6 +70,7 @@ deployment:
     limits:
       memory: "1Gi"
   secret_name: "kiali"
+  security_context: {}
   service_annotations: {}
   service_type: ""
   tolerations: []