search

cdk8s-team / cdk8s-plus

A software development framework that provides high level abstractions for authoring Kubernetes applications.
https://cdk8s.io/docs/latest/plus/
Apache License 2.0
133 stars 33 forks source link

SecurityContext of Deployment Should Be Used For Pods/Containers #2049

Open akefirad opened 1 year ago

akefirad commented 1 year ago

Description of the feature or enhancement:

I'm not entirely sure, but shouldn't the security context of a Deployment object be used in its pods?

Use Case:

Let's say we have a Deployment object like below:

    const deployment = new Deployment(this, "deployment", {
      // some stuff here
      securityContext: {
        ensureNonRoot: false,
      },
    });

    // and
    deployment.addContainer({
      image: "foo",
      port: 8080,
    });

If you generate the manifest using the above, the pod still gets ensureNonRoot: true. Is that intended? Currently you have to set the property to false in both places; i.e. in Deployment and Container.

Proposed Solution:

Does it make sense to use the deployment security context as a default value for its pods?

Other:

N/A

This is a :rocket: Feature Request

github-actions[bot] commented 3 months ago

This issue has not received any attention in 1 year and will be closed soon. If you want to keep it open, please leave a comment below @mentioning a maintainer.

akefirad commented 3 months ago

👋

iliapolo commented 3 months ago

The problem here is that we generate a default security context for containers, regardless of whether the deployment has its own context - thus overriding it. I think its reasonable to first check if the deployment has a security context, and only set a default if it doesn't. This will allow k8s to apply the correct hierarchal context behavior.