Add optin for securitycontext in helm (#2758)

sandert-k8s · web-flow · commit b6ab75e675ea · 2024-10-02T17:26:29.000-04:00
* add option for securitycontext

* set default to true

* moved securitycontext before services
diff --git a/helm-chart/templates/adservice.yaml b/helm-chart/templates/adservice.yaml
@@ -49,11 +49,13 @@ spec:
       serviceAccountName: default
       {{- end }}
       terminationGracePeriodSeconds: 5
+      {{- if .Values.securityContext.enable }}
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
+      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
diff --git a/helm-chart/templates/cartservice.yaml b/helm-chart/templates/cartservice.yaml
@@ -53,11 +53,13 @@ spec:
       serviceAccountName: default
       {{- end }}
       terminationGracePeriodSeconds: 5
+      {{- if .Values.securityContext.enable }}
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
+      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
@@ -229,11 +231,13 @@ spec:
       {{- else }}
       serviceAccountName: default
       {{- end }}
+      {{- if .Values.securityContext.enable }}
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
+      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
diff --git a/helm-chart/templates/checkoutservice.yaml b/helm-chart/templates/checkoutservice.yaml
@@ -48,11 +48,13 @@ spec:
       {{- else }}
       serviceAccountName: default
       {{- end }}
+      {{- if .Values.securityContext.enable }}
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
+      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
diff --git a/helm-chart/templates/currencyservice.yaml b/helm-chart/templates/currencyservice.yaml
@@ -49,11 +49,13 @@ spec:
       serviceAccountName: default
       {{- end }}
       terminationGracePeriodSeconds: 5
+      {{- if .Values.securityContext.enable }}
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
+      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
diff --git a/helm-chart/templates/emailservice.yaml b/helm-chart/templates/emailservice.yaml
@@ -49,11 +49,13 @@ spec:
       serviceAccountName: default
       {{- end }}
       terminationGracePeriodSeconds: 5
+      {{- if .Values.securityContext.enable }}
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
+      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
diff --git a/helm-chart/templates/frontend.yaml b/helm-chart/templates/frontend.yaml
@@ -50,11 +50,13 @@ spec:
       {{- else }}
       serviceAccountName: default
       {{- end }}
+      {{- if .Values.securityContext.enable }}
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
+      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
diff --git a/helm-chart/templates/loadgenerator.yaml b/helm-chart/templates/loadgenerator.yaml
@@ -53,11 +53,13 @@ spec:
       {{- end }}
       terminationGracePeriodSeconds: 5
       restartPolicy: Always
+      {{- if .Values.securityContext.enable }}
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
+      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
diff --git a/helm-chart/templates/productcatalogservice.yaml b/helm-chart/templates/productcatalogservice.yaml
@@ -49,11 +49,13 @@ spec:
       serviceAccountName: default
       {{- end }}
       terminationGracePeriodSeconds: 5
+      {{- if .Values.securityContext.enable }}
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
+      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
diff --git a/helm-chart/templates/recommendationservice.yaml b/helm-chart/templates/recommendationservice.yaml
@@ -49,11 +49,13 @@ spec:
       serviceAccountName: default
       {{- end }}
       terminationGracePeriodSeconds: 5
+      {{- if .Values.securityContext.enable }}
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
+      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
diff --git a/helm-chart/templates/shippingservice.yaml b/helm-chart/templates/shippingservice.yaml
@@ -48,11 +48,13 @@ spec:
       {{- else }}
       serviceAccountName: default
       {{- end }}
+      {{- if .Values.securityContext.enable }}
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
+      {{- end }}
         {{- if .Values.seccompProfile.enable }}
         seccompProfile:
           type: {{ .Values.seccompProfile.type }}
diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml
@@ -56,6 +56,9 @@ seccompProfile:
   enable: false
   type: RuntimeDefault
 
+securityContext:
+  enable: true
+
 adService:
   create: true
   name: adservice
