SRS add support for setting securityContext

pegasystems / pega-helm-charts

Orchestrate a Pega Platform™ deployment by using Docker, Kubernetes, and Helm to take advantage of Pega Platform Cloud Choice flexibility.

https://community.pega.com/knowledgebase/articles/cloud-choice

Apache License 2.0

123 stars 194 forks source link

SRS add support for setting securityContext #711

Open konire opened 5 months ago

konire commented 5 months ago

Is your feature request related to a problem? Please describe. The SRS chart currently does not support setting the securityContext on pod or container.

Describe the solution you'd like I'd like to (optionally) set the securityContext.

Describe alternatives you've considered n/a

Additional context n/a

kishorv10 commented 3 months ago

@reddy-srinivas @ravitejamekapega Can you please take a look?

dekke046 commented 3 months ago

@konire @kishorv10 @reddy-srinivas @ravitejamekapega,

Perhaps this can be looked at more generic.

I am facing customisations to the template files due to company security settings and therefore for all containers/pods I need to add the following:

  securityContext:
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    seccompProfile:
      type: RuntimeDefault

It would be great if these securityContext values can be specified in the values.yaml, so at the global level and be fully inherited by all underlying templates or charts.

Especially on in-company shared k8s platforms, security becomes more and more important.

kishorv10 commented 3 months ago

@dekke046 Are you asking for SRS subchart or backing services or Pega charts? Can you be specific.

dekke046 commented 3 months ago

@kishorv10

At least I had to make securityContext changes to the following files for the Pega chart:

./charts/pegasearch/templates/pega-search-deployment.yaml
./templates/_pega-deployment.tpl
./templates/_helpers.tpl

For the backingservices: ./charts/srs/templates/srsservice_deployment.yaml

I have not checked the addons charts files yet.

I only did helm install, do not yet have any experience with helm upgrade for version upgrade activities, that will probably start a container doing all the database upgrade SQL work and also needs to have the proper securityContext settings.

kishorv10 commented 3 months ago

@dekke046 Pegasearch sub chart deployment (./charts/pegasearch/templates/pega-search-deployment.yaml) is deprecated and for 8.6 and above version it is recommended to use SRS backing services. Latest enhancements are not provided to it. More details are here

Are both the Pegasearch subchart and SRS backing service utilized in your deployment?

kishorv10 commented 2 months ago

The current ask is partially completed in #750 Start using the feature and revert in case of any issues.

dekke046 commented 2 months ago

@dekke046 Pegasearch sub chart deployment (./charts/pegasearch/templates/pega-search-deployment.yaml) is deprecated and for 8.6 and above version it is recommended to use SRS backing services. Latest enhancements are not provided to it. More details are here

Are both the Pegasearch subchart and SRS backing service utilized in your deployment?

Thank you, we will move towards SRS soon!

dekke046 commented 2 months ago

The current ask is partially completed in #750 Start using the feature and revert in case of any issues.

Excellent @kishorv10 , We will test this feature.