Merge pull request #1803 from alex-souslik-hs/main

loadtester: add pod security context
2025-04-21 09:23:30 +02:00 · 2025-04-21 09:23:30 +02:00 · 27daa2ca46
parent 6f165a10de ed38a79545
commit 27daa2ca46
3 changed files with 16 additions and 4 deletions
--- a/charts/loadtester/README.md
+++ b/charts/loadtester/README.md
@ -69,8 +69,10 @@ The following tables lists the configurable parameters of the load tester chart
 | `istio.tls.enabled`                | Enable TLS in gateway ( TLS secrets should be in namespace )                         | `false`                             |
 | `istio.tls.httpsRedirect`          | Redirect traffic to TLS port                                                         | `false`                             |
 | `podPriorityClassName`             | PriorityClass name for pod priority configuration                                    | ""                                  |
-| `securityContext.enabled`          | Add securityContext to container                                                     | ""                                  |
-| `securityContext.context`          | securityContext to add                                                               | ""                                  |
+| `securityContext.enabled`          | Add securityContext to container                                                     | `false`                             |
+| `SecurityContext.context`          | securityContext to add                                                               | ""                                  |
+| `podSecurityContext.enabled`       | Add securityContext to pod                                                           | `false`                             |
+| `podSecurityContext.context`       | securityContext to add                                                               | ""                                  |
 | `podDisruptionBudget.enabled`      | A PodDisruptionBudget will be created if `true`                                      | `false`                             |
 | `podDisruptionBudget.minAvailable` | The minimal number of available replicas that will be set in the PodDisruptionBudget | `1`                                 |

--- a/charts/loadtester/templates/deployment.yaml
+++ b/charts/loadtester/templates/deployment.yaml
@ -24,7 +24,7 @@ spec:
        appmesh.k8s.aws/ports: "444"
        openservicemesh.io/inbound-port-exclusion-list: "80, 8080"
        {{- if .Values.podAnnotations }}
-{{ toYaml .Values.podAnnotations | indent 8 }}
+          {{- toYaml .Values.podAnnotations | nindent 8 }}
        {{- end }}
    spec:
      {{- if .Values.serviceAccountName }}
@ -39,7 +39,7 @@ spec:
        - name: {{ .Chart.Name }}
          {{- if .Values.securityContext.enabled }}
          securityContext:
-{{ toYaml .Values.securityContext.context | indent 12 }}
+            {{- toYaml .Values.securityContext.context | nindent 12 }}
          {{- end }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
@ -102,3 +102,7 @@ spec:
      tolerations:
        {{- toYaml . | nindent 8 }}
    {{- end }}
+    {{- if .Values.podSecurityContext.enabled }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext.context | nindent 12 }}
+    {{- end }}
--- a/charts/loadtester/values.yaml
+++ b/charts/loadtester/values.yaml
@ -91,6 +91,12 @@ securityContext:
    runAsUser: 100
    runAsGroup: 101

+podSecurityContext:
+  enabled: false
+  context:
+    fsGroup: 101
+    fsGroupChangePolicy: "OnRootMismatch"
+
 podDisruptionBudget:
  enabled: false
  minAvailable: 1