From 698d58048b27db0cd2056f9c4b7df01b6307e4c5 Mon Sep 17 00:00:00 2001
From: Anish Bista <anishbista053@gmail.com>
Date: Thu, 29 Aug 2024 10:20:02 +0530
Subject: [PATCH] Added the security context at pod and container level for
 kainster operator

Signed-off-by: Anish Bista <anishbista053@gmail.com>
---
 helm/kanister-operator/templates/deployment.yaml |  8 ++++++++
 helm/kanister-operator/values.yaml               | 15 +++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/helm/kanister-operator/templates/deployment.yaml b/helm/kanister-operator/templates/deployment.yaml
index a560e5d0a6..e447296777 100644
--- a/helm/kanister-operator/templates/deployment.yaml
+++ b/helm/kanister-operator/templates/deployment.yaml
@@ -14,6 +14,10 @@ spec:
       labels:
 {{ include "kanister-operator.helmLabels" . | indent 8}}
     spec:
+{{- if .Values.controller.podSecurityContext }}
+      securityContext: 
+{{ toYaml .Values.controller.podSecurityContext | indent 8 }}
+{{- end }}
       serviceAccountName: {{ template "kanister-operator.serviceAccountName" . }}
 {{- if or .Values.bpValidatingWebhook.enabled .Values.validatingWebhook.repositoryserver.enabled }}
       volumes:
@@ -29,6 +33,8 @@ spec:
       - name: {{ template "kanister-operator.fullname" . }}
         image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
+        securityContext: 
+{{ include "controller.containerSecurityContext" . }}
 {{- if .Values.bpValidatingWebhook.enabled }}
         volumeMounts:
           - name: webhook-certs
@@ -53,6 +59,8 @@ spec:
       - name: {{ template "repository-server-controller.name" . }}
         image: {{ .Values.repositoryServerControllerImage.registry }}/{{ .Values.repositoryServerControllerImage.name }}:{{ .Values.repositoryServerControllerImage.tag }}
         imagePullPolicy: {{ .Values.repositoryServerControllerImage.pullPolicy }}
+        securityContext: 
+{{ include "controller.containerSecurityContext" . }}
 {{- if .Values.validatingWebhook.repositoryserver.enabled }}
         volumeMounts:
           - name: webhook-certs
diff --git a/helm/kanister-operator/values.yaml b/helm/kanister-operator/values.yaml
index e6967d08b2..c0d8921364 100644
--- a/helm/kanister-operator/values.yaml
+++ b/helm/kanister-operator/values.yaml
@@ -36,6 +36,20 @@ controller:
     # false : kanister-prometheus framework has been disabled
     # true: kanister-prometheus framework has been enabled
     enabled: false
+  # Pod-level security context settings
+  podSecurityContext:
+    #runAsUser: 1000
+    #fsGroup: 2000
+    #runAsNonRoot: true
+
+  # Container-level security context settings
+  containerSecurityContext:
+    #capabilities:
+    #  drop:
+    #  - ALL
+    #readOnlyRootFilesystem: true
+    #runAsNonRoot: true
+    #allowPrivilegeEscalation: false 
 dataStore:
   parallelism:
     upload: 8
@@ -89,3 +103,4 @@ tolerations: []
 #
 # node labels for pod assignment. Evaluated as template
 nodeSelector: {}
+