diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index e2714e6edf..23ef96b1f0 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -60,3 +60,5 @@ annotations: description: allow affinity settings for cleanup jobs - kind: added description: Add helper to handle the labels for cleanup jobs, add component label + - kind: added + description: allow podSecurityContext and securityContext for webhooksCleanup diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index b2d2c0dba1..3d61a812ea 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -616,11 +616,13 @@ The chart values are organised per component. | webhooksCleanup.enabled | bool | `true` | Create a helm pre-delete hook to cleanup webhooks. | | webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. | | webhooksCleanup.imagePullSecrets | list | `[]` | Image pull secrets | +| webhooksCleanup.podSecurityContext | object | `{}` | Security context for the pod | | webhooksCleanup.nodeSelector | object | `{}` | Node labels for pod assignment | | webhooksCleanup.tolerations | list | `[]` | List of node taints to tolerate | | webhooksCleanup.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | | webhooksCleanup.podAffinity | object | `{}` | Pod affinity constraints. | | webhooksCleanup.nodeAffinity | object | `{}` | Node affinity constraints. | +| webhooksCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | ### Test diff --git a/charts/kyverno/templates/hooks/pre-delete.yaml b/charts/kyverno/templates/hooks/pre-delete.yaml index 7479bc399e..679ea2b8cf 100644 --- a/charts/kyverno/templates/hooks/pre-delete.yaml +++ b/charts/kyverno/templates/hooks/pre-delete.yaml @@ -15,6 +15,10 @@ spec: template: spec: serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }} + {{- with .Values.webhooksCleanup.podSecurityContext }} + securityContext: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} restartPolicy: Never {{- with .Values.webhooksCleanup.imagePullSecrets }} imagePullSecrets: @@ -31,6 +35,10 @@ spec: sleep 30 kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno + {{- with .Values.webhooksCleanup.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} {{- with .Values.webhooksCleanup.tolerations }} tolerations: {{- tpl (toYaml .) $ | nindent 8 }} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 82f5459494..8d65143af3 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -308,6 +308,9 @@ webhooksCleanup: # -- Image pull secrets imagePullSecrets: [] + # -- Security context for the pod + podSecurityContext: {} + # -- Node labels for pod assignment nodeSelector: {} @@ -323,6 +326,20 @@ webhooksCleanup: # -- Node affinity constraints. nodeAffinity: {} + # -- Security context for the hook containers + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + grafana: # -- Enable grafana dashboard creation. enabled: false