Skip to content

Commit

Permalink
feat: Add possibility to configure securityContext for each pod (#275)
Browse files Browse the repository at this point in the history
  • Loading branch information
@hardillb
hardillb authored Jan 12, 2024
2 parents 6791985 + 678d4d4 commit b6dbf87
Show file tree
Hide file tree
Showing 6 changed files with 100 additions and 9 deletions.
3 changes: 3 additions & 0 deletions helm/flowforge/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ If using an external PostgreSQL Database you will need to create the database an
- `forge.branding` Object holding branding inserts (default not set)
- `forge.projectDeploymentTolerations` tolerations settings for Project instances. Default is `[]`.
- `forge.clusterRole.name` custom name for the ClusterRole (default `create-pod`)
- `forge.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the core application pod

note: `forge.projectSelector` and `forge.managementSelector` defaults mean that you must have at least 2 nodes in your cluster and they need to be labeled before installing.

Expand Down Expand Up @@ -75,6 +76,7 @@ To use STMP to send email
- `forge.broker.url` URL to access the broker from inside the cluster (default `mqtt://flowforge-broker.[namespace]:1883`)
- `forge.broker.public_url` URL to access the broker from outside the cluster (default `ws://mqtt.[forge.domain]`, uses `wss://` if `forge.https` is `true`)
- `forge.broker.affinity` allows to configure [affinity or anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) for the broker pod
- `forge.broker.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the broker pod

### Telemetry

Expand Down Expand Up @@ -122,6 +124,7 @@ Enables FlowForge Telemetry
- `forge.fileStore.context.type` Choice of backends for Persistent Context `sequelize`
- `forge.fileStore.context.options` Options to pass to Persistent Context Driver (See [file-server](https://github.com/flowforge/flowforge-file-server) for details)
- `forge.fileStore.context.quota` Sets the maximum number of bytes that a project can store in Persistent Context (default `1048576`)
- `forge.fileStore.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the flowforge-file pod

### Private Certificate Authority

Expand Down
4 changes: 1 addition & 3 deletions helm/flowforge/templates/broker.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,7 @@ spec:
app: flowforge-broker
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
{{- toYaml .Values.forge.broker.podSecurityContext | nindent 8 }}
containers:
- name: broker
image: iegomez/mosquitto-go-auth
Expand Down
4 changes: 1 addition & 3 deletions helm/flowforge/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,7 @@ spec:
spec:
serviceAccountName: flowforge
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
{{- toYaml .Values.forge.podSecurityContext | nindent 8 }}
containers:
- name: forge
{{- if .Values.forge.image }}
Expand Down
4 changes: 1 addition & 3 deletions helm/flowforge/templates/file-storage.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,9 +61,7 @@ spec:
app: flowforge-file
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
{{- toYaml .Values.forge.fileStore.podSecurityContext | nindent 8 }}
containers:
- name: file-storage
image: {{ .Values.forge.registry }}{{- if .Values.forge.registry -}}/{{- end -}}flowforge/file-server:{{ .Chart.AppVersion }}
Expand Down
75 changes: 75 additions & 0 deletions helm/flowforge/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,31 @@
},
"affinity": {
"type": "object"
},
"podSecurityContext": {
"type": "object",
"properties": {
"runAsUser": {
"type": "integer"
},
"runAsGroup": {
"type": "integer"
},
"fsGroup": {
"type": "integer"
},
"seccompProfile": {
"type": "object",
"properties": {
"type": {
"type": "string"
},
"localhostProfile": {
"type": "string"
}
}
}
}
}
},
"required": [
Expand Down Expand Up @@ -293,6 +318,31 @@
},
"options": {
"type": "object"
},
"podSecurityContext": {
"type": "object",
"properties": {
"runAsUser": {
"type": "integer"
},
"runAsGroup": {
"type": "integer"
},
"fsGroup": {
"type": "integer"
},
"seccompProfile": {
"type": "object",
"properties": {
"type": {
"type": "string"
},
"localhostProfile": {
"type": "string"
}
}
}
}
}
},
"required": [
Expand Down Expand Up @@ -383,6 +433,31 @@
"description": "Name of cluster role"
}
}
},
"podSecurityContext": {
"type": "object",
"properties": {
"runAsUser": {
"type": "integer"
},
"runAsGroup": {
"type": "integer"
},
"fsGroup": {
"type": "integer"
},
"seccompProfile": {
"type": "object",
"properties": {
"type": {
"type": "string"
},
"localhostProfile": {
"type": "string"
}
}
}
}
}
},
"required": [
Expand Down
19 changes: 19 additions & 0 deletions helm/flowforge/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,12 @@ forge:
enabled: false
broker:
enabled: false
podSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
fileStore:
enabled: false
type: localfs
Expand All @@ -36,6 +42,12 @@ forge:
username: forge
password: Zai1Wied
database: ff-context
podSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
support:
enabled: false

Expand All @@ -55,6 +67,13 @@ forge:
enabled: false
reportOnly: false

podSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault

postgresql:
auth:
postgresPassword: Moomiet0
Expand Down

0 comments on commit b6dbf87

Please sign in to comment.