fix: seccomp profile (#3313)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2025-03-31 03:45:17 +00:00 · 2022-02-28 15:40:40 +01:00 · 2022-02-28 15:40:40 +01:00 · fef7bb6f0f
commit fef7bb6f0f
parent c84939df00
4 changed files with 27 additions and 16 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -83,6 +83,7 @@ The command removes all the Kubernetes components associated with the chart and
 | podLabels | object | `{}` | Additional labels to add to each pod |
 | podAnnotations | object | `{}` | Additional annotations to add to each pod |
 | podSecurityContext | object | `{}` | Security context for the pod |
+| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
 | priorityClassName | string | `""` | Optional priority class to be used for kyverno pods |
 | antiAffinity.enable | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
 | podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
--- a/charts/kyverno/templates/_helpers.tpl
+++ b/charts/kyverno/templates/_helpers.tpl
@ -114,3 +114,11 @@ replicas: 1
 replicas: 3
 {{- end }}
 {{- end }}
+
+{{- define "kyverno.securityContext" -}}
+{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
+{{ toYaml (omit .Values.securityContext "seccompProfile") }}
+{{- else }}
+{{ toYaml .Values.securityContext }}
+{{- end }}
+{{- end }}
--- a/charts/kyverno/templates/deployment.yaml
+++ b/charts/kyverno/templates/deployment.yaml
@ -71,14 +71,9 @@ spec:
          {{- with .Values.initResources }}
          resources: {{ tpl (toYaml .) $ | nindent 12 }}
          {{- end }}
-          securityContext:
-            runAsNonRoot: true
-            privileged: false
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            capabilities:
-              drop:
-                - ALL
+          {{- if .Values.securityContext }}
+          securityContext: {{ include "kyverno.securityContext" . | nindent 12 }}
+          {{- end }}
          env:
          - name: METRICS_CONFIG
            value: {{ template "kyverno.metricsConfigMapName" . }}
@ -101,14 +96,9 @@ spec:
          {{- with .Values.resources }}
          resources: {{ tpl (toYaml .) $ | nindent 12 }}
          {{- end }}
-          securityContext:
-            runAsNonRoot: true
-            privileged: false
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            capabilities:
-              drop:
-                - ALL
+          {{- if .Values.securityContext }}
+          securityContext: {{ include "kyverno.securityContext" . | nindent 12 }}
+          {{- end }}
          ports:
          - containerPort: 9443
            name: https
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -72,6 +72,18 @@ podAnnotations: {}
 # -- Security context for the pod
 podSecurityContext: {}

+# -- Security context for the containers
+securityContext:
+  runAsNonRoot: true
+  privileged: false
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
+  seccompProfile:
+    type: RuntimeDefault
+
 # -- Optional priority class to be used for kyverno pods
 priorityClassName: ''