Closed techorix closed 11 months ago
I guess you mean the allowPrivilegeEscalation
property part of the container's securityContext
property.
If so, there is nothing we can do in the Quarkus Helm extension to add it since Quarkus Helm can only bind/map properties that are generated by the Quarkus Kubernetes/OpenShift extensions. The good news is that this would be something really straight-forward to support, but I encourage you to report the issue / or directly provide a pull request with the changes in the Quarkus repository (as a reference, you can see this pull request https://github.com/quarkusio/quarkus/pull/24089).
As a workaround, you can add your custom Deployment resource template in src/main/kubernetes/kubernetes.yml
with the properties you need, and the Quarkus Kubernetes extensions should merge it into the generated resources. For example:
apiVersion: apps/v1
kind: Deployment
metadata:
name: <your project name or the name of the generated deployment resource name>
spec:
template:
spec:
containers:
- securityContext:
allowPrivilegeEscalation: false
And now checking the generated Deployment resource in target/kubernetes/kubernetes.yml
, it should include the allowPrivilegeEscalation
property.
And now, you can use Quarkus Helm to map the allowPrivilegeEscalation
property using Helm by adding the following properties:
quarkus.helm.values.allowPrivilegeEscalation.paths=(kind == Deployment).spec.template.spec.containers.(name == <name of the generated container>).securityContext.allowPrivilegeEscalation
With this property, you will see that the generated values.yaml
file for Helm (in target/helm/kubernetes/<chart name>
will contain:
---
app:
allowPrivilegeEscalation: false
...
I hope it helps!
Hi, this worked very well. Thank you very much for your very helpful suggestion :)
Hi,
as described here it is possible to set allowPrivilegeConfiguration in the securityContext of the container. As of now I don't see an option in Quarkus Kubernetes Extension or Quarkus Helm Extension to add this. As this is often required by Kyverno rules I wanted to ask if it is possible to include this somehow?
This is the code example used in the URL above: https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/pods/security/security-context.yaml