Skip to content

Enable the helm chart users to customize the Security Context config. #872

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
zamsong123 opened this issue Jul 11, 2024 · 2 comments
Open

Enable the helm chart users to customize the Security Context config. #872

zamsong123 opened this issue Jul 11, 2024 · 2 comments

Comments

@zamsong123
Copy link

<

What would you like to be added:
Enable the helm chart users to customize the Security Context config.

Why is this needed:
For some of the enterprise users of the helm chart, there could be some security context check in the K8s clusters.
e.g. runAsNonRoot must be set to "true"
So it will be nice if we could enable the helm chart uses to config.
@zamsong123
Copy link
Author

After analysis of the helm chart I notice there are 4 changes needed for this change:

  1. daemonset under splunk-kubernetes-logging
  2. daemonset under splunk-kubernetes-metrics
  3. deploymentMetricsAggregator under splunk-kubernetes-metrics
  4. deployment under splunk-kubernetes-objects

I will create a PR to make the change

@zamsong123
Copy link
Author

Did some testing and below is the output:
splunk-connect-for-kubernetes % helm template . | grep securityContext -A10
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: RuntimeDefault2222222

    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      readOnlyRootFilesystem: true
      runAsGroup: 1001
      runAsNonRoot: true
      runAsUser: 1001
      seccompProfile:
        type: RuntimeDefault44444

--
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: RuntimeDefault333333

    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      readOnlyRootFilesystem: true
      runAsGroup: 1001
      runAsNonRoot: true
      runAsUser: 1001
      seccompProfile:
        type: RuntimeDefault1111111

This was referenced Jul 31, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zamsong123