Merge pull request #1524 from snyk/feat/helm-add-pod-security-context…

…-value

feat: helm add pod security context value

snyk-monitor/templates/deployment.yaml

@@ -33,10 +33,19 @@ spec:
  {{- toYaml . | nindent 8 }}
  {{- end }}
  spec:
- {{- with .Values.securityContext.fsGroup }}
- securityContext:
- fsGroup: {{ int . }}
- {{- end }}
+ {{- with .Values.podSecurityContext }}
+ securityContext:
+ {{- $fsGroupOverride := dict }}
+ {{- if hasKey $.Values.securityContext "fsGroup" }}
+ {{- $fsGroupOverride = dict "fsGroup" (int $.Values.securityContext.fsGroup) }}
+ {{- end }}
+ {{- merge $fsGroupOverride . | toYaml | nindent 8 }}
+ {{- else }}
+ {{- if .Values.securityContext.fsGroup }}
+ securityContext:
+ fsGroup: {{ int .Values.securityContext.fsGroup }}
+ {{- end }}
+ {{- end }}
  affinity:
  nodeAffinity:
  requiredDuringSchedulingIgnoredDuringExecution:
@@ -250,14 +259,10 @@ spec:
  exec:
  command:
  - "true"
+ {{- with .Values.snykMonitorSecurityContext }}
  securityContext:
- privileged: false
- runAsNonRoot: true
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- capabilities:
- drop:
- - ALL
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
  volumes:
  - name: docker-config
  secret:

snyk-monitor/values.yaml

@@ -135,8 +135,25 @@ excludedNamespaces:
 # spec:
 # securityContext:
 # fsGroup: <-- here
-securityContext:
- fsGroup:
+# ... <-- here
+securityContext: {}
+
+# Allow specifying the whole object in the PodSpec securityContext:
+# spec:
+# template:
+# spec:
+# securityContext:
+# ... <-- here
+podSecurityContext: {}
+
+snykMonitorSecurityContext:
+ privileged: false
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ capabilities:
+ drop:
+ - ALL
 
 # Set node tolerations for snyk-monitor
 tolerations: []