helm: add deployment securityContext values (#6136)

* helm: add deployment securityContext values * rm: podSecurityContext
2023-02-09 13:26:35 -05:00 · 2023-02-09 13:26:35 -05:00 · 22f6400ea5
parent b46d0d693f
commit 22f6400ea5
2 changed files with 28 additions and 0 deletions
--- a/helm/templates/coder.yaml
+++ b/helm/templates/coder.yaml
@ -107,6 +107,7 @@ spec:
            {{- end }}
            {{- end }}
            {{- end }}
+          securityContext: {{ toYaml .Values.coder.securityContext | nindent 12 }}
          readinessProbe:
            httpGet:
              path: /api/v2/buildinfo
--- a/helm/values.yaml
+++ b/helm/values.yaml
@ -50,6 +50,33 @@ coder:
    # coder.serviceAccount.name -- The service account name
    name: coder

+  # coder.securityContext -- Fields related to the container's security
+  # context (as opposed to the pod). Some fields are also present in the pod
+  # security context, in which case these values will take precedence.
+  securityContext:
+    # coder.securityContext.runAsNonRoot -- Requires that the coder container
+    # runs as an unprivileged user. If setting runAsUser to 0 (root), this
+    # will need to be set to false.
+    runAsNonRoot: true
+    # coder.securityContext.runAsUser -- Sets the user id of the pod.
+    # For security reasons, we recommend using a non-root user.
+    runAsUser: 1000
+    # coder.securityContext.runAsGroup -- Sets the group id of the pod.
+    # For security reasons, we recommend using a non-root group.
+    runAsGroup: 1000
+    # coder.securityContext.readOnlyRootFilesystem -- Mounts the container's
+    # root filesystem as read-only. It is recommended to leave this setting
+    # enabled in production. This will override the same setting in the pod
+    readOnlyRootFilesystem: true
+    # coder.securityContext.seccompProfile -- Sets the seccomp profile for
+    # the coder container.
+    seccompProfile:
+      type: RuntimeDefault
+    # coder.securityContext.allowPrivilegeEscalation -- Controls whether
+    # the container can gain additional privileges, such as escalating to
+    # root. It is recommended to leave this setting disabled in production.
+    allowPrivilegeEscalation: false
+
  # coder.env -- The environment variables to set for Coder. These can be used
  # to configure all aspects of `coder server`. Please see `coder server --help`
  # for information about what environment variables can be set.