From 0b5f9a0f25beb19b121d905d77448f463a1ef12f Mon Sep 17 00:00:00 2001
From: treydock <tdockendorf@osc.edu>
Date: Mon, 7 Aug 2023 08:24:53 -0400
Subject: [PATCH] feat(chart) Allow podSecurityContext and securityContext for
 webhooksCleanup (#7970)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes #7962

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 charts/kyverno/Chart.yaml                      |  2 ++
 charts/kyverno/README.md                       |  2 ++
 charts/kyverno/templates/hooks/pre-delete.yaml |  8 ++++++++
 charts/kyverno/values.yaml                     | 17 +++++++++++++++++
 4 files changed, 29 insertions(+)

diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml
index e2714e6edf..23ef96b1f0 100644
--- a/charts/kyverno/Chart.yaml
+++ b/charts/kyverno/Chart.yaml
@@ -60,3 +60,5 @@ annotations:
       description: allow affinity settings for cleanup jobs
     - kind: added
       description: Add helper to handle the labels for cleanup jobs, add component label
+    - kind: added
+      description: allow podSecurityContext and securityContext for webhooksCleanup
diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index b2d2c0dba1..3d61a812ea 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -616,11 +616,13 @@ The chart values are organised per component.
 | webhooksCleanup.enabled | bool | `true` | Create a helm pre-delete hook to cleanup webhooks. |
 | webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
 | webhooksCleanup.imagePullSecrets | list | `[]` | Image pull secrets |
+| webhooksCleanup.podSecurityContext | object | `{}` | Security context for the pod |
 | webhooksCleanup.nodeSelector | object | `{}` | Node labels for pod assignment |
 | webhooksCleanup.tolerations | list | `[]` | List of node taints to tolerate |
 | webhooksCleanup.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
 | webhooksCleanup.podAffinity | object | `{}` | Pod affinity constraints. |
 | webhooksCleanup.nodeAffinity | object | `{}` | Node affinity constraints. |
+| webhooksCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |
 
 ### Test
 
diff --git a/charts/kyverno/templates/hooks/pre-delete.yaml b/charts/kyverno/templates/hooks/pre-delete.yaml
index 7479bc399e..679ea2b8cf 100644
--- a/charts/kyverno/templates/hooks/pre-delete.yaml
+++ b/charts/kyverno/templates/hooks/pre-delete.yaml
@@ -15,6 +15,10 @@ spec:
   template:
     spec:
       serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+      {{- with .Values.webhooksCleanup.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
       restartPolicy: Never
       {{- with .Values.webhooksCleanup.imagePullSecrets }}
       imagePullSecrets: 
@@ -31,6 +35,10 @@ spec:
               sleep 30
               kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
               kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
+          {{- with .Values.webhooksCleanup.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
       {{- with .Values.webhooksCleanup.tolerations }}
       tolerations:
         {{- tpl (toYaml .) $ | nindent 8 }}
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index 82f5459494..8d65143af3 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -308,6 +308,9 @@ webhooksCleanup:
   # -- Image pull secrets
   imagePullSecrets: []
 
+  # -- Security context for the pod
+  podSecurityContext: {}
+
   # -- Node labels for pod assignment
   nodeSelector: {}
 
@@ -323,6 +326,20 @@ webhooksCleanup:
   # -- Node affinity constraints.
   nodeAffinity: {}
 
+  # -- Security context for the hook containers
+  securityContext:
+    runAsUser: 65534
+    runAsGroup: 65534
+    runAsNonRoot: true
+    privileged: false
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+
 grafana:
   # -- Enable grafana dashboard creation.
   enabled: false