fix(helm-chart): securityContext/resources configurable for kube-rbac proxy (#38)

raffis · web-flow · commit a26ab0c96270 · 2023-06-05T10:38:39.000+02:00
* fix(helm-chart): securityContext/resources configurable for kube-rbac proxy

* refactor: remove trailing spaces
diff --git a/chart/k8sdb-controller/Chart.yaml b/chart/k8sdb-controller/Chart.yaml
@@ -12,4 +12,4 @@ keywords:
 name: k8sdb-controller
 sources:
 - https://github.com/DoodleScheduling/k8sdb-controller
-version: 0.2.2
+version: 0.2.3
diff --git a/chart/k8sdb-controller/templates/deployment.yaml b/chart/k8sdb-controller/templates/deployment.yaml
@@ -96,12 +96,9 @@ spec:
           name: https
           protocol: TCP
         resources:
-          limits:
-            cpu: 500m
-            memory: 128Mi
-          requests:
-            cpu: 5m
-            memory: 64Mi
+          {{- toYaml .Values.kubeRBACProxy.resources | nindent 10 }}
+        securityContext:
+          {{- toYaml .Values.kubeRBACProxy.securityContext | nindent 10 }}
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
       {{- end }}
@@ -114,6 +111,8 @@ spec:
         secret:
           secretName: {{ .secretName }}
       {{- end }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       affinity:
         {{- toYaml .Values.affinity | nindent 8 }}
       imagePullSecrets:
diff --git a/chart/k8sdb-controller/values.yaml b/chart/k8sdb-controller/values.yaml
@@ -82,6 +82,8 @@ securityContext:
   capabilities:
     drop: ["all"]
   readOnlyRootFilesystem: true
+
+podSecurityContext:
   runAsGroup: 10000
   runAsNonRoot: true
   runAsUser: 10000
@@ -121,4 +123,18 @@ prometheusRule:
 kubeRBACProxy:
   enabled: true
 
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: ["all"]
+    readOnlyRootFilesystem: true
+
+  resources: {}
+  # limits:
+  #   cpu: 500m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 5m
+  #   memory: 64Mi
+
 tolerations: []
