feat(charts): securityContect to cleanup-leases job

* In a cluster with https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/ does not clean up
sigstore · Aug 30, 2024 · d25622c · d25622c
1 parent 62d22f4
commit d25622c
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 0 deletions.
diff --git a/charts/policy-controller/README.md b/charts/policy-controller/README.md
@@ -159,6 +159,14 @@ helm uninstall [RELEASE_NAME]
 | leasescleanup.image.pullPolicy | string | `"IfNotPresent"` |  |
 | leasescleanup.image.repository | string | `"cgr.dev/chainguard/kubectl"` |  |
 | leasescleanup.image.version | string | `"latest-dev"` |  |
+| leasescleanup.podSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
+| leasescleanup.podSecurityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| leasescleanup.podSecurityContext.enabled | bool | `true` |  |
+| leasescleanup.podSecurityContext.readOnlyRootFilesystem | bool | `true` |  |
+| leasescleanup.podSecurityContext.runAsUser | int | `1000` |  |
+| leasescleanup.securityContext.enabled | bool | `false` |  |
+| leasescleanup.securityContext.runAsNonRoot | bool | `true` |  |
+| leasescleanup.securityContext.runAsUser | int | `1000` |  |
 | loglevel | string | `"info"` |  |
 | serviceMonitor.enabled | bool | `false` |  |
 | webhook.configData | object | `{}` |  |

diff --git a/charts/policy-controller/templates/webhook/cleanup-leases.yaml b/charts/policy-controller/templates/webhook/cleanup-leases.yaml
@@ -24,6 +24,18 @@ spec:
             - /bin/sh
             - -c
             - kubectl delete leases --all --ignore-not-found -n {{ .Release.Namespace }}
+  {{- if .Values.leasescleanup.podSecurityContext.enabled }}
+          securityContext:
+          {{- with .Values.leasescleanup.podSecurityContext }}
+          {{- omit . "enabled" | toYaml | nindent 10}}
+          {{- end }}
+  {{- end }}
+      {{- if .Values.leasescleanup.securityContext.enabled }}
+      securityContext:
+        {{- with .Values.leasescleanup.securityContext }}
+        {{- omit . "enabled" | toYaml | nindent 8}}
+        {{- end }}
+      {{- end }}
       restartPolicy: OnFailure
 ---
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/charts/policy-controller/values.yaml b/charts/policy-controller/values.yaml
@@ -72,6 +72,18 @@ leasescleanup:
     repository: cgr.dev/chainguard/kubectl
     version: latest-dev
     pullPolicy: IfNotPresent
+  securityContext:
+    enabled: false
+    runAsUser: 1000
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsUser: 1000
+    capabilities:
+      drop:
+        - ALL
 
 ## common node selector for all the pods
 commonNodeSelector: {}