[Feature] Allow to customize Security Context (#588)

CHANGELOG.md

@@ -9,6 +9,7 @@
 - Allow to customize ID Pod selectors
 - Add Label and Envs Pod customization
 - Improved JWT Rotation
+- Allow to customize Security Context in pods
 
 ## [1.0.3](https://github.com/arangodb/kube-arangodb/tree/1.0.3) (2020-05-25)
 - Prevent deletion of not known PVC's

pkg/apis/deployment/v1/server_group_spec.go

@@ -100,6 +100,13 @@ type ServerGroupSpecSecurityContext struct {
 	DropAllCapabilities *bool `json:"dropAllCapabilities,omitempty"`
 	// AddCapabilities add new capabilities to containers
 	AddCapabilities []core.Capability `json:"addCapabilities,omitempty"`
+
+	AllowPrivilegeEscalation *bool  `json:"allowPrivilegeEscalation,omitempty"`
+	Privileged               *bool  `json:"privileged,omitempty"`
+	ReadOnlyRootFilesystem   *bool  `json:"readOnlyFileSystem,omitempty"`
+	RunAsNonRoot             *bool  `json:"runAsNonRoot,omitempty"`
+	RunAsUser                *int64 `json:"runAsUser,omitempty"`
+	RunAsGroup               *int64 `json:"runAsGroup,omitempty"`
 }
 
 // GetDropAllCapabilities returns flag if capabilities should be dropped
@@ -134,6 +141,15 @@ func (s *ServerGroupSpecSecurityContext) GetAddCapabilities() []core.Capability
 func (s *ServerGroupSpecSecurityContext) NewSecurityContext() *core.SecurityContext {
 	r := &core.SecurityContext{}
 
+	if s != nil {
+		r.AllowPrivilegeEscalation = s.AllowPrivilegeEscalation
+		r.Privileged = s.Privileged
+		r.ReadOnlyRootFilesystem = s.ReadOnlyRootFilesystem
+		r.RunAsNonRoot = s.RunAsNonRoot
+		r.RunAsUser = s.RunAsUser
+		r.RunAsGroup = s.RunAsGroup
+	}
+
 	capabilities := &core.Capabilities{}
 
 	if s.GetDropAllCapabilities() {

pkg/apis/deployment/v1/zz_generated.deepcopy.go

@@ -1209,6 +1209,36 @@ func (in *ServerGroupSpecSecurityContext) DeepCopyInto(out *ServerGroupSpecSecur
 		*out = make([]corev1.Capability, len(*in))
 		copy(*out, *in)
 	}
+	if in.AllowPrivilegeEscalation != nil {
+		in, out := &in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Privileged != nil {
+		in, out := &in.Privileged, &out.Privileged
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ReadOnlyRootFilesystem != nil {
+		in, out := &in.ReadOnlyRootFilesystem, &out.ReadOnlyRootFilesystem
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RunAsNonRoot != nil {
+		in, out := &in.RunAsNonRoot, &out.RunAsNonRoot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RunAsUser != nil {
+		in, out := &in.RunAsUser, &out.RunAsUser
+		*out = new(int64)
+		**out = **in
+	}
+	if in.RunAsGroup != nil {
+		in, out := &in.RunAsGroup, &out.RunAsGroup
+		*out = new(int64)
+		**out = **in
+	}
 	return
 }