add podSecurityContext (#88)

* add podSecurityContext * update deployment yaml * remove line * add test * fix indentation * update test * update readme * feat: update docs for securityContext * feat: update docs * fix: capitalisation * fix: capitalisation
gruntwork-io · Jan 21, 2021 · 5fb012d · 5fb012d
1 parent 6802561
commit 5fb012d
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 0 deletions.
diff --git a/charts/k8s-service/templates/canarydeployment.yaml b/charts/k8s-service/templates/canarydeployment.yaml
@@ -106,6 +106,10 @@ spec:
       {{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }}
       automountServiceAccountToken : {{ .Values.serviceAccount.automountServiceAccountToken }}
       {{- end }}
+      {{- if .Values.podSecurityContext }}
+      securityContext:
+{{ toYaml .Values.podSecurityContext | indent 8 }}
+      {{- end}}
 
       containers:
         - name: {{ .Values.applicationName }}-canary

diff --git a/charts/k8s-service/templates/deployment.yaml b/charts/k8s-service/templates/deployment.yaml
@@ -106,6 +106,10 @@ spec:
       {{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }}
       automountServiceAccountToken : {{ .Values.serviceAccount.automountServiceAccountToken }}
       {{- end }}
+      {{- if .Values.podSecurityContext }}
+      securityContext:
+{{ toYaml .Values.podSecurityContext | indent 8 }}
+      {{- end}}
 
       containers:
         - name: {{ .Values.applicationName }}

diff --git a/charts/k8s-service/values.yaml b/charts/k8s-service/values.yaml
@@ -103,6 +103,8 @@ readinessProbe: {}
 # securityContext is a map that specified the privillege and access control settings for a Pod of Container. Security Context
 # can be specified when the application requires additional access control permissions. More details on securityContext and supported
 # settings can be found at https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+# similar to the podSecurityContext {} however, this sets security attributes at the container level rather than at the pod level scope.
+
 #
 # EXAMPLE:
 # 1) To run a container in privilleged mode
@@ -114,6 +116,16 @@ readinessProbe: {}
 #   runAsUser: 2000
 securityContext: {}
 
+# podSecurityContext holds pod-level security access control settings.
+# similar to the securityContext {} however, this sets security attributes at the pod level rather than at the container level scope.
+# this allows certain attributes to be set that are not possible in the container level. For example 'fsGroup'.
+# more details can be found at https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#podsecuritycontext-v1-core
+
+# EXAMPLE:
+# podSecurityContext:
+#   fsGroup: 2000
+podSecurityContext: {}
+
 
 # shutdownDelay is the number of seconds to delay the shutdown sequence of the Pod by. This is implemented as a sleep
 # call in the preStop hook. By default, this chart includes a preStop hook with a shutdown delay for eventual

diff --git a/test/k8s_service_template_test.go b/test/k8s_service_template_test.go
@@ -142,6 +142,20 @@ func TestK8SServiceSecurityContextAnnotationRenderCorrectly(t *testing.T) {
 	assert.Equal(t, *testContainer.SecurityContext.RunAsUser, int64(1000))
 }
 
+func TestK8SServicePodSecurityContextAnnotationRenderCorrectly(t *testing.T) {
+	t.Parallel()
+
+	deployment := renderK8SServiceDeploymentWithSetValues(
+		t,
+		map[string]string{
+			"podSecurityContext.fsGroup": "2000",
+		},
+	)
+	renderedPodSpec := deployment.Spec.Template.Spec
+	assert.NotNil(t, renderedPodSpec.SecurityContext)
+	assert.Equal(t, *renderedPodSpec.SecurityContext.FSGroup, int64(2000))
+}
+
 // Test that podAnnotations render correctly to annotate the Pod Template Spec on the Deployment resource
 func TestK8SServicePodAnnotationsRenderCorrectly(t *testing.T) {
 	t.Parallel()