running containers as not-root

nats-io · Mar 13, 2020 · 3609f2f · 3609f2f
1 parent 32c8700
commit 3609f2f
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 1 deletion.
diff --git a/helm/charts/nats/templates/statefulset.yaml b/helm/charts/nats/templates/statefulset.yaml
@@ -22,6 +22,10 @@ spec:
         app: {{ template "nats.name" . }}
         chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
     spec:
+{{- with .Values.securityContext }}
+      securityContext:
+{{ toYaml . | indent 8 }}
+{{- end }}
       # Common volumes for the containers.
       volumes:
       - name: config-volume

diff --git a/helm/charts/nats/values.yaml b/helm/charts/nats/values.yaml
@@ -43,7 +43,13 @@ nats:
     connectErrorReports: 
     reconnectErrorReports: 
 
-# Toggle whether to use setup a NATS Cluster.
+# Toggle whether to use setup a Pod Security Context
+# ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+securityContext:
+  fsGroup: 1000
+  runAsUser: 1000
+  runAsNonRoot: true
+
 cluster:
   enabled: false
 

diff --git a/helm/charts/stan/templates/statefulset.yaml b/helm/charts/stan/templates/statefulset.yaml
@@ -26,6 +26,10 @@ spec:
         app: {{ template "stan.name" . }}
         chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
     spec:
+{{- with .Values.securityContext }}
+      securityContext:
+{{ toYaml . | indent 8 }}
+{{- end }}
       terminationGracePeriodSeconds: 30
       volumes:
       - configMap:

diff --git a/helm/charts/stan/values.yaml b/helm/charts/stan/values.yaml
@@ -20,6 +20,13 @@ stan:
   nats:
     url:
 
+# Toggle whether to use setup a Pod Security Context
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+securityContext:
+  fsGroup: 1000
+  runAsUser: 1000
+  runAsNonRoot: true       
+
 ###########################
 #                         #
 #  Storage configuration  #