From ea1fa9531e37e0d47dd2492756c8078fa475ef93 Mon Sep 17 00:00:00 2001 From: CatherineThompson Date: Thu, 20 Jun 2024 17:56:47 -0600 Subject: [PATCH] make pod security context fully configurable --- charts/trino/README.md | 10 ++++++++-- charts/trino/templates/deployment-coordinator.yaml | 7 +++++-- charts/trino/templates/deployment-worker.yaml | 3 +-- charts/trino/values.yaml | 7 +++++++ 4 files changed, 21 insertions(+), 6 deletions(-) diff --git a/charts/trino/README.md b/charts/trino/README.md index 53aba971..f261b0b0 100644 --- a/charts/trino/README.md +++ b/charts/trino/README.md @@ -312,8 +312,13 @@ Fast distributed SQL query engine for big data analytics that helps you explore imagePullPolicy: IfNotPresent command: ['sleep', '1'] ``` -* `securityContext.runAsUser` - int, default: `1000` -* `securityContext.runAsGroup` - int, default: `1000` +* `securityContext` - object, default: `{"runAsGroup":1000,"runAsUser":1000}` + + [Pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) configuration. + Remove the pod security context + ```yaml + securityContext: ~ + ``` * `containerSecurityContext` - object, default: `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` [Container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) configuration. @@ -662,6 +667,7 @@ Fast distributed SQL query engine for big data analytics that helps you explore value: '$2' help: 'ThreadCount (java.lang<>ThreadCount)' type: UNTYPED +* `jmx.exporter.securityContext` - object, default: `{}` * `serviceMonitor.enabled` - bool, default: `false` Set to true to create resources for the [prometheus-operator](https://github.com/prometheus-operator/prometheus-operator). diff --git a/charts/trino/templates/deployment-coordinator.yaml b/charts/trino/templates/deployment-coordinator.yaml index 14bbeee6..9b068db4 100644 --- a/charts/trino/templates/deployment-coordinator.yaml +++ b/charts/trino/templates/deployment-coordinator.yaml @@ -33,8 +33,7 @@ spec: serviceAccountName: {{ include "trino.serviceAccountName" . }} {{- with .Values.securityContext }} securityContext: - runAsUser: {{ .runAsUser }} - runAsGroup: {{ .runAsGroup }} + {{- toYaml . | nindent 8 }} {{- end }} {{- if .Values.shareProcessNamespace.coordinator }} shareProcessNamespace: {{ .Values.shareProcessNamespace.coordinator }} @@ -203,6 +202,10 @@ spec: - name: jmx-exporter image: {{ .Values.jmx.exporter.image }} imagePullPolicy: {{ .Values.jmx.exporter.pullPolicy }} + {{- with .Values.jmx.exporter.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} args: - "{{ .Values.jmx.exporter.port }}" - /etc/jmx-exporter/jmx-exporter-config.yaml diff --git a/charts/trino/templates/deployment-worker.yaml b/charts/trino/templates/deployment-worker.yaml index 6868a9ea..59c26504 100644 --- a/charts/trino/templates/deployment-worker.yaml +++ b/charts/trino/templates/deployment-worker.yaml @@ -35,8 +35,7 @@ spec: serviceAccountName: {{ include "trino.serviceAccountName" . }} {{- with .Values.securityContext }} securityContext: - runAsUser: {{ .runAsUser }} - runAsGroup: {{ .runAsGroup }} + {{- toYaml . | nindent 8 }} {{- end }} {{- if .Values.shareProcessNamespace.worker }} shareProcessNamespace: {{ .Values.shareProcessNamespace.worker }} diff --git a/charts/trino/values.yaml b/charts/trino/values.yaml index 7a6e76c6..7efb847c 100644 --- a/charts/trino/values.yaml +++ b/charts/trino/values.yaml @@ -349,6 +349,12 @@ sidecarContainers: {} securityContext: runAsUser: 1000 runAsGroup: 1000 +# securityContext -- [Pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) configuration. +# @raw +# Remove the pod security context +# ```yaml +# securityContext: ~ +# ``` # -- [Container security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) configuration. containerSecurityContext: @@ -760,6 +766,7 @@ jmx: pullPolicy: Always port: 5556 configProperties: [] + securityContext: {} # jmx.exporter.configProperties -- JMX Config Properties is mounted to /etc/jmx-exporter/jmx-exporter-config.yaml # @raw # Example: