search

quarkiverse / quarkus-helm

Quarkus Extension to generate the Helm artifacts
Apache License 2.0
10 stars 8 forks source link

Feature-Request: Setting allowPrivilegeConfiguration parameter for Container #283

Closed techorix closed 11 months ago

techorix commented 11 months ago

Hi,

as described here it is possible to set allowPrivilegeConfiguration in the securityContext of the container. As of now I don't see an option in Quarkus Kubernetes Extension or Quarkus Helm Extension to add this. As this is often required by Kyverno rules I wanted to ask if it is possible to include this somehow?

This is the code example used in the URL above: https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/pods/security/security-context.yaml

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  volumes:
  - name: sec-ctx-vol
    emptyDir: {}
  containers:
  - name: sec-ctx-demo
    image: busybox:1.28
    command: [ "sh", "-c", "sleep 1h" ]
    volumeMounts:
    - name: sec-ctx-vol
      mountPath: /data/demo
    securityContext:
      allowPrivilegeEscalation: false
Sgitario commented 11 months ago

I guess you mean the allowPrivilegeEscalation property part of the container's securityContext property. If so, there is nothing we can do in the Quarkus Helm extension to add it since Quarkus Helm can only bind/map properties that are generated by the Quarkus Kubernetes/OpenShift extensions. The good news is that this would be something really straight-forward to support, but I encourage you to report the issue / or directly provide a pull request with the changes in the Quarkus repository (as a reference, you can see this pull request https://github.com/quarkusio/quarkus/pull/24089).

As a workaround, you can add your custom Deployment resource template in src/main/kubernetes/kubernetes.yml with the properties you need, and the Quarkus Kubernetes extensions should merge it into the generated resources. For example:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: <your project name or the name of the generated deployment resource name>
spec:
  template:
    spec:
      containers:
        - securityContext:
            allowPrivilegeEscalation: false

And now checking the generated Deployment resource in target/kubernetes/kubernetes.yml, it should include the allowPrivilegeEscalation property.

And now, you can use Quarkus Helm to map the allowPrivilegeEscalation property using Helm by adding the following properties:

quarkus.helm.values.allowPrivilegeEscalation.paths=(kind == Deployment).spec.template.spec.containers.(name == <name of the generated container>).securityContext.allowPrivilegeEscalation

With this property, you will see that the generated values.yaml file for Helm (in target/helm/kubernetes/<chart name> will contain:

---
app:
  allowPrivilegeEscalation: false
...

I hope it helps!

techorix commented 10 months ago

Hi, this worked very well. Thank you very much for your very helpful suggestion :)