feat: Make securityContext configurable

Also extend with seccompProfile and capabilities as defaults

helm-charts/falcon-self-hosted-registry-assessment/templates/executor-deployment.yaml

@@ -23,7 +23,11 @@ spec:
     spec:
       serviceAccountName: {{ include "ra-self-hosted-executor.fullname" . }}
       securityContext:
-        fsGroup: 2001
+{{ if .Values.executor.podSecurityContext }}
+{{ .Values.executor.podSecurityContext | toYaml | indent 8 }}
+{{ else }}
+{{ .Values.podSecurityContext | toYaml | indent 8 }}
+{{ end }}
      {{- if or (.Values.executor.image.pullSecret) (.Values.executor.image.registryConfigJSON) }}
       imagePullSecrets:
        {{ if .Values.executor.image.registryConfigJSON }}
@@ -85,11 +89,11 @@ spec:
 {{ .Values.executor.resources | toYaml | indent 12 }}
           {{- end }}
           securityContext:
-            runAsUser: 1001
-            runAsGroup: 2001
-            runAsNonRoot: true
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
+{{ if .Values.executor.securityContext }}
+{{ .Values.executor.securityContext | toYaml | indent 10 }}
+{{ else }}
+{{ .Values.securityContext | toYaml | indent 10 }}
+{{ end }}
       containers:
         - name: executor
           image: {{ include "ra-self-hosted-executor.image" . }}
@@ -144,11 +148,11 @@ spec:
 {{ .Values.executor.resources | toYaml | indent 12 }}
           {{- end }}
           securityContext:
-            runAsUser: 1001
-            runAsGroup: 2001
-            runAsNonRoot: true
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
+{{ if .Values.executor.securityContext }}
+{{ .Values.executor.securityContext | toYaml | indent 19 }}
+{{ else }}
+{{ .Values.securityContext | toYaml | indent 12 }}
+{{ end }}
       {{- if .Values.executor.nodeSelector }}
       nodeSelector:
         {{- .Values.executor.nodeSelector | toYaml | nindent 8 }}

helm-charts/falcon-self-hosted-registry-assessment/templates/job-controller-deployment.yaml

@@ -19,7 +19,11 @@ spec:
         checksum/config: {{ include (print $.Template.BasePath "/job-controller-configmap.yaml") . | sha256sum }}
     spec:
       securityContext:
-        fsGroup: 2001
+{{ if .Values.jobController.podSecurityContext }}
+{{ .Values.jobController.podSecurityContext | toYaml | indent 8 }}
+{{ else }}
+{{ .Values.podSecurityContext | toYaml | indent 8 }}
+{{ end }}
      {{- if or (.Values.jobController.image.pullSecret) (.Values.jobController.image.registryConfigJSON) }}
       imagePullSecrets:
        {{ if .Values.jobController.image.registryConfigJSON }}
@@ -73,11 +77,11 @@ spec:
               name: tls
             {{- end }}
           securityContext:
-            runAsUser: 1001
-            runAsGroup: 2001
-            runAsNonRoot: true
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
+{{ if .Values.jobController.securityContext }}
+{{ .Values.jobController.securityContext | toYaml | indent 10 }}
+{{ else }}
+{{ .Values.securityContext | toYaml | indent 10 }}
+{{ end }}
       containers:
         - name: job-controller
           image: {{ include "ra-self-hosted-job-controller.image" . }}
@@ -131,11 +135,11 @@ spec:
               name: tls
             {{- end }}
           securityContext:
-            runAsUser: 1001
-            runAsGroup: 2001
-            runAsNonRoot: true
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
+{{ if .Values.jobController.securityContext }}
+{{ .Values.jobController.securityContext | toYaml | indent 12 }}
+{{ else }}
+{{ .Values.securityContext | toYaml | indent 12 }}
+{{ end }}
       {{- if .Values.jobController.nodeSelector }}
       nodeSelector:
         {{- .Values.jobController.nodeSelector | toYaml | nindent 8 }}

helm-charts/falcon-self-hosted-registry-assessment/values.yaml

@@ -4,6 +4,26 @@
 nameOverride: ""
 fullnameOverride: ""
 
+podSecurityContext:
+  runAsUser: 1001
+  runAsGroup: 2001
+  fsGroup: 2001
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  runAsUser: 1001
+  runAsGroup: 2001
+  runAsNonRoot: true
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+    - ALL
+
 executor:
   replicaCount: 1
   image:
@@ -47,6 +67,28 @@ executor:
       accessModes:
         - ReadWriteOnce
 
+  # Use to override the global podSecurityContext        
+  # podSecurityContext:
+  #   runAsUser: 1001
+  #   runAsGroup: 2001
+  #   fsGroup: 2001
+  #   runAsNonRoot: true
+  #   seccompProfile:
+  #     type: RuntimeDefault
+
+  # Use to override the global securityContext
+  # securityContext:
+  #   runAsUser: 1001
+  #   runAsGroup: 2001
+  #   runAsNonRoot: true
+  #   readOnlyRootFilesystem: true
+  #   allowPrivilegeEscalation: false
+  #   seccompProfile:
+  #     type: RuntimeDefault
+  #   capabilities:
+  #     drop:
+  #     - ALL
+
   logLevel: 3  # log level to be set for the service (1:error, 2:warning, 3:info, 4:debug)
   catalogPerPageRate: 100  # page size per catalog request
 
@@ -169,6 +211,28 @@ jobController:
 
   additionalSecretEnvFrom: []
 
+  # Use to override the global podSecurityContext        
+  # podSecurityContext:
+  #   runAsUser: 1001
+  #   runAsGroup: 2001
+  #   fsGroup: 2001
+  #   runAsNonRoot: true
+  #   seccompProfile:
+  #     type: RuntimeDefault
+
+  # Use to override the global securityContext
+  # securityContext:
+  #   runAsUser: 1001
+  #   runAsGroup: 2001
+  #   runAsNonRoot: true
+  #   readOnlyRootFilesystem: true
+  #   allowPrivilegeEscalation: false
+  #   seccompProfile:
+  #     type: RuntimeDefault
+  #   capabilities:
+  #     drop:
+  #     - ALL
+
 crowdstrikeConfig:
   region: "autodiscovery"  # autodiscovery, us-1, us-2, eu-1, gov1, or gov2
   clientID: ""