diff --git a/helm/flowforge/README.md b/helm/flowforge/README.md index 31678e5d..943f18a1 100644 --- a/helm/flowforge/README.md +++ b/helm/flowforge/README.md @@ -45,6 +45,7 @@ If using an external PostgreSQL Database you will need to create the database an - `forge.clusterRole.name` custom name for the ClusterRole (default `create-pod`) - `forge.resources` allows to configure [resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the core application container - `forge.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the core application pod + - `forge.containerSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the core application container note: `forge.projectSelector` and `forge.managementSelector` defaults mean that you must have at least 2 nodes in your cluster and they need to be labeled before installing. @@ -80,6 +81,7 @@ To use STMP to send email - `forge.broker.affinity` allows to configure [affinity or anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) for the broker pod - `forge.broker.resources` allows to configure [resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the broker container - `forge.broker.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the broker pod + - `forge.broker.containerSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the broker container ### Telemetry @@ -129,6 +131,7 @@ Enables FlowForge Telemetry - `forge.fileStore.context.quota` Sets the maximum number of bytes that a project can store in Persistent Context (default `1048576`) - `forge.fileStore.resources` allows to configure [resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the file-server container - `forge.fileStore.podSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the flowforge-file pod +- `forge.fileStore.containerSecurityContext` allows to configure [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the flowforge-file container ### Private Certificate Authority diff --git a/helm/flowforge/templates/broker.yaml b/helm/flowforge/templates/broker.yaml index 2ad08ff8..666bbaed 100644 --- a/helm/flowforge/templates/broker.yaml +++ b/helm/flowforge/templates/broker.yaml @@ -75,9 +75,7 @@ spec: name: mqtt-native - containerPort: 1884 name: mqtt-ws - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true + securityContext: {{- toYaml .Values.forge.broker.containerSecurityContext | nindent 10 }} # livenessProbe: # httpGet: # path: /ping.html diff --git a/helm/flowforge/templates/deployment.yaml b/helm/flowforge/templates/deployment.yaml index 241e12a8..ababa095 100644 --- a/helm/flowforge/templates/deployment.yaml +++ b/helm/flowforge/templates/deployment.yaml @@ -71,13 +71,11 @@ spec: readOnly: true {{- end }} ports: - - containerPort: 3000 - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true + - containerPort: 3000 {{- if .Values.forge.resources }} resources: {{- toYaml .Values.forge.resources | nindent 12 }} {{- end }} + securityContext: {{- toYaml .Values.forge.containerSecurityContext | nindent 10 }} {{- if .Values.forge.registrySecrets }} imagePullSecrets: {{- range .Values.forge.registrySecrets }} diff --git a/helm/flowforge/templates/file-storage.yml b/helm/flowforge/templates/file-storage.yml index 3be75ede..1ae4e62e 100644 --- a/helm/flowforge/templates/file-storage.yml +++ b/helm/flowforge/templates/file-storage.yml @@ -78,9 +78,7 @@ spec: {{ end -}} ports: - containerPort: 3001 - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true + securityContext: {{- toYaml .Values.forge.broker.containerSecurityContext | nindent 10 }} {{- if .Values.forge.fileStore.resources }} resources: {{- toYaml .Values.forge.fileStore.resources | nindent 12 }} {{- end }} diff --git a/helm/flowforge/values.schema.json b/helm/flowforge/values.schema.json index 47ade067..637293ee 100644 --- a/helm/flowforge/values.schema.json +++ b/helm/flowforge/values.schema.json @@ -270,6 +270,9 @@ } } } + }, + "containerSecurityContext": { + "type": "object" } }, "required": [ @@ -397,6 +400,9 @@ } } } + }, + "containerSecurityContext": { + "type": "object" } }, "required": [ @@ -539,6 +545,9 @@ } } } + }, + "containerSecurityContext": { + "type": "object" } }, diff --git a/helm/flowforge/values.yaml b/helm/flowforge/values.yaml index edf0602b..4d94564a 100644 --- a/helm/flowforge/values.yaml +++ b/helm/flowforge/values.yaml @@ -27,6 +27,9 @@ forge: fsGroup: 1000 seccompProfile: type: RuntimeDefault + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true fileStore: enabled: false type: localfs @@ -74,6 +77,10 @@ forge: seccompProfile: type: RuntimeDefault + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + postgresql: auth: postgresPassword: Moomiet0