helm: add deployment securityContext values

ericpaulsen · ericpaulsen · commit e6c0a8075096 · 2023-02-09T12:23:18.000-05:00
diff --git a/helm/templates/coder.yaml b/helm/templates/coder.yaml
@@ -26,6 +26,7 @@ spec:
       labels:
         {{- include "coder.labels" . | nindent 8 }}
     spec:
+      securityContext: {{ toYaml .Values.coder.podSecurityContext | nindent 8 }}
       serviceAccountName: {{ .Values.coder.serviceAccount.name | quote }}
       restartPolicy: Always
       {{- with .Values.coder.image.pullSecrets }}
@@ -48,6 +49,7 @@ spec:
       {{- with .Values.coder.initContainers }}
       initContainers:
       {{ toYaml . | nindent 8 }}
+          securityContext: {{ toYaml .Values.coder.securityContext | nindent 12 }}
       {{- end }}
       containers:
         - name: coder
@@ -107,6 +109,7 @@ spec:
             {{- end }}
             {{- end }}
             {{- end }}
+          securityContext: {{ toYaml .Values.coder.securityContext | nindent 12 }}
           readinessProbe:
             httpGet:
               path: /api/v2/buildinfo
diff --git a/helm/values.yaml b/helm/values.yaml
@@ -50,6 +50,53 @@ coder:
     # coder.serviceAccount.name -- The service account name
     name: coder
 
+  # coder.podSecurityContext -- Fields related to the pod's security context
+  # (as opposed to the container). Some fields are also present in the
+  # container security context, which will take precedence over these values.
+  podSecurityContext:
+    # coder.podSecurityContext.runAsNonRoot -- Requires that containers in
+    # the pod run as an unprivileged user. If setting runAsUser to 0 (root),
+    # this will need to be set to false.
+    runAsNonRoot: true
+    # coder.podSecurityContext.runAsUser -- Sets the user id of the pod.
+    # For security reasons, we recommend using a non-root user.
+    runAsUser: 1000
+    # coder.podSecurityContext.runAsGroup -- Sets the group id of the pod.
+    # For security reasons, we recommend using a non-root group.
+    runAsGroup: 1000
+    # coder.podSecurityContext.seccompProfile -- Sets the seccomp profile
+    # for the pod. If set, the container security context setting will take
+    # precedence over this value.
+    seccompProfile:
+      type: RuntimeDefault
+
+  # coder.securityContext -- Fields related to the container's security
+  # context (as opposed to the pod). Some fields are also present in the pod
+  # security context, in which case these values will take precedence.
+  securityContext:
+    # coder.securityContext.runAsNonRoot -- Requires that the coder container
+    # runs as an unprivileged user. If setting runAsUser to 0 (root), this
+    # will need to be set to false.
+    runAsNonRoot: true
+    # coder.securityContext.runAsUser -- Sets the user id of the pod.
+    # For security reasons, we recommend using a non-root user.
+    runAsUser: 1000
+    # coder.securityContext.runAsGroup -- Sets the group id of the pod.
+    # For security reasons, we recommend using a non-root group.
+    runAsGroup: 1000
+    # coder.securityContext.readOnlyRootFilesystem -- Mounts the container's
+    # root filesystem as read-only. It is recommended to leave this setting
+    # enabled in production. This will override the same setting in the pod
+    readOnlyRootFilesystem: true
+    # coder.securityContext.seccompProfile -- Sets the seccomp profile for
+    # the coder container.
+    seccompProfile:
+      type: RuntimeDefault
+    # coder.securityContext.allowPrivilegeEscalation -- Controls whether
+    # the container can gain additional privileges, such as escalating to
+    # root. It is recommended to leave this setting disabled in production.
+    allowPrivilegeEscalation: false
+
   # coder.env -- The environment variables to set for Coder. These can be used
   # to configure all aspects of `coder server`. Please see `coder server --help`
   # for information about what environment variables can be set.
