Skip to content

Commit aeea2ed

Browse files
committed
feat(crd): add security context and resource configuration support
Add comprehensive security and resource configuration options to the MCPServer CRD to enable production-ready deployments following Kubernetes security best practices. Signed-off-by: skhedim <sebastien.khedim@gmail.com>
1 parent 89d1509 commit aeea2ed

5 files changed

Lines changed: 2136 additions & 14 deletions

File tree

api/v1alpha1/mcpserver_types.go

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -245,6 +245,74 @@ type MCPServerDeployment struct {
245245
// ServiceAccount defines the configuration for the ServiceAccount.
246246
// +optional
247247
ServiceAccount *ServiceAccountConfig `json:"serviceAccount,omitempty"`
248+
249+
// Labels defines additional labels to add to the pod template.
250+
// These labels will be merged with the default labels.
251+
// +optional
252+
Labels map[string]string `json:"labels,omitempty"`
253+
254+
// Annotations defines additional annotations to add to the pod template.
255+
// These annotations will be merged with the default annotations.
256+
// +optional
257+
Annotations map[string]string `json:"annotations,omitempty"`
258+
259+
// Resources defines the compute resource requirements for the main MCP server container.
260+
// Use this to specify CPU and memory requests and limits.
261+
// Example:
262+
// resources:
263+
// requests:
264+
// cpu: "100m"
265+
// memory: "128Mi"
266+
// limits:
267+
// cpu: "500m"
268+
// memory: "512Mi"
269+
// +optional
270+
Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
271+
272+
// SecurityContext defines the security context for the main MCP server container.
273+
// Use this to configure container-level security settings such as:
274+
// - runAsUser/runAsGroup: Run as specific user/group
275+
// - runAsNonRoot: Ensure container doesn't run as root
276+
// - readOnlyRootFilesystem: Make root filesystem read-only
277+
// - allowPrivilegeEscalation: Prevent privilege escalation
278+
// - capabilities: Add or drop Linux capabilities
279+
// +optional
280+
SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
281+
282+
// PodSecurityContext defines the security context for the entire pod.
283+
// Use this to configure pod-level security settings such as:
284+
// - runAsUser/runAsGroup: Default user/group for all containers
285+
// - fsGroup: Group ownership of mounted volumes
286+
// - seccompProfile: Seccomp profile for the pod
287+
// - sysctls: Kernel parameters to set
288+
// +optional
289+
PodSecurityContext *corev1.PodSecurityContext `json:"podSecurityContext,omitempty"`
290+
291+
// Tolerations defines the tolerations for the pod.
292+
// Use this to schedule pods on nodes with matching taints.
293+
// +optional
294+
Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
295+
296+
// Affinity defines the affinity rules for the pod.
297+
// Use this to control pod placement based on node labels, pod labels,
298+
// or other scheduling constraints.
299+
// +optional
300+
Affinity *corev1.Affinity `json:"affinity,omitempty"`
301+
302+
// NodeSelector defines the node selector for the pod.
303+
// Use this to constrain pods to nodes with specific labels.
304+
// +optional
305+
NodeSelector map[string]string `json:"nodeSelector,omitempty"`
306+
307+
// Replicas defines the number of desired pod replicas.
308+
// Defaults to 1 if not specified.
309+
// +optional
310+
// +kubebuilder:default=1
311+
Replicas *int32 `json:"replicas,omitempty"`
312+
313+
// ImagePullSecrets defines the list of secrets to use for pulling container images.
314+
// +optional
315+
ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
248316
}
249317

250318
// InitContainerConfig defines the configuration for the init container.
@@ -259,6 +327,16 @@ type InitContainerConfig struct {
259327
// +optional
260328
// +kubebuilder:validation:Enum=Always;Never;IfNotPresent
261329
ImagePullPolicy corev1.PullPolicy `json:"imagePullPolicy,omitempty"`
330+
331+
// Resources defines the compute resource requirements for the init container.
332+
// Use this to specify CPU and memory requests and limits for the init container.
333+
// +optional
334+
Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
335+
336+
// SecurityContext defines the security context for the init container.
337+
// If not specified, the main container's security context will be used.
338+
// +optional
339+
SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"`
262340
}
263341

264342
// ServiceAccountConfig defines the configuration for the ServiceAccount.

api/v1alpha1/zz_generated.deepcopy.go

Lines changed: 70 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)