digital-ai · jberta-agency04 · Oct 8, 2025 · Oct 8, 2025 · Oct 16, 2025
diff --git a/README.md b/README.md
@@ -121,6 +121,7 @@ kubectl delete namespace runner
 | `runner.truststorePassword` | the truststore password                                                            | `nil`                                                                                                     |
 | `runner.restClientCa`       | the certificates base64 encoded value                                         | `nil`                                                                                                     |
 | `runner.config`             | Map configuration variables that are set in the config map and used as environment | `{}`                                                                                                      |
+| `runner.kubernetes.passedSaAnnotations` | comma separated list of annotations to pass from the runner to the executor ServiceAccount | `""`                                                                                                      |
 
 ### Digital.ai Release parameters
 
@@ -183,6 +184,13 @@ kubectl delete namespace runner
 | `containerSecurityContext.enabled`      | Enabled Digital.ai Release Runner containers' Security Context                                                                                       | `false`         |
 | `containerSecurityContext.runAsUser`    | Set Digital.ai Release Runner containers' Security Context runAsUser                                                                                 | `1001`          |
 | `containerSecurityContext.runAsNonRoot` | Set Digital.ai Release Runner container's Security Context runAsNonRoot                                                                              | `true`          |
+| `executorSecurityContext.enabled` | Enable security context for executor pods | `false`                                                                                                      |
+| `executorSecurityContext.runAsUser` | User ID for executor pods | `1001`                                                                                                      |
+| `executorSecurityContext.runAsGroup` | Group ID for executor pods | `1001`                                                                                                      |
+| `executorSecurityContext.fsGroup` | Filesystem group for executor pods | `1001`                                                                                                      |
+| `executorSecurityContext.runAsNonRoot` | Force executor pods to run as non-root user | `true`                                                                                                      |
+| `executorSecurityContext.allowPrivilegeEscalation` | Allow privilege escalation in executor pods | `false`                                                                                                      |
+| `executorSecurityContext.readOnlyRootFilesystem` | Make root filesystem read-only in executor pods | `false`                                                                                                      |
 | `extraVolumeMounts`                     | Optionally specify extra list of additional volumeMounts                                                                                 | `[]`            |
 | `extraVolumes`                          | Optionally specify extra list of additional volumes .                                                                                    | `[]`            |
 | `hostAliases`                           | Deployment pod host aliases                                                                                                              | `[]`            |

diff --git a/templates/statefulset.yaml b/templates/statefulset.yaml
@@ -170,6 +170,24 @@ spec:
             - name: RELEASE_RUNNER_REST_CLIENT_CA
               value: "/workspace/ca.pem"
             {{- end}}
+            - name: RELEASE_RUNNER_KUBERNETES_PASSED_SA_ANNOTATIONS
+              value: {{ .Values.runner.kubernetes.passedSaAnnotations }}
+            {{- if .Values.executorSecurityContext }}
+            - name: RELEASE_RUNNER_EXECUTOR_SECURITY_CONTEXT_ENABLED
+              value: "{{ .Values.executorSecurityContext.enabled }}"
+            - name: RELEASE_RUNNER_EXECUTOR_SECURITY_CONTEXT_RUN_AS_USER
+              value: "{{ .Values.executorSecurityContext.runAsUser }}"
+            - name: RELEASE_RUNNER_EXECUTOR_SECURITY_CONTEXT_RUN_AS_GROUP
+              value: "{{ .Values.executorSecurityContext.runAsGroup }}"
+            - name: RELEASE_RUNNER_EXECUTOR_SECURITY_CONTEXT_FS_GROUP
+              value: "{{ .Values.executorSecurityContext.fsGroup }}"
+            - name: RELEASE_RUNNER_EXECUTOR_SECURITY_CONTEXT_RUN_AS_NON_ROOT
+              value: "{{ .Values.executorSecurityContext.runAsNonRoot }}"
+            - name: RELEASE_RUNNER_EXECUTOR_SECURITY_CONTEXT_ALLOW_PRIVILEGE_ESCALATION
+              value: "{{ .Values.executorSecurityContext.allowPrivilegeEscalation }}"
+            - name: RELEASE_RUNNER_EXECUTOR_SECURITY_CONTEXT_READ_ONLY_ROOT_FILESYSTEM
+              value: "{{ .Values.executorSecurityContext.readOnlyRootFilesystem }}"
+            {{- end }}
             {{- if .Values.extraEnvVars }}
             {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
             {{- end }}

diff --git a/values.yaml b/values.yaml
@@ -17,6 +17,9 @@ runner:
   restClientCA:
   ## @param runner.config [object] Map configuration variables that are set in the config map and used as environment
   config:
+  ## @param runner.kubernetes.passedSaAnnotations comma separated list of annotations to pass from the runner to the executor ServiceAccount
+  kubernetes:
+    passedSaAnnotations: ""
 
 
 ## @section Digital.ai Release parameters
@@ -195,6 +198,27 @@ podSecurityContext:
   runAsUser: 1001
   fsGroup: 1001
 
+## @section Executor Pod Security Context
+##
+## @param executorSecurityContext [object] Security context configuration for executor pods created by the runner
+## These settings control the security context of pods that the runner creates to execute tasks
+##
+executorSecurityContext:
+  ## @param executorSecurityContext.enabled Enable security context for executor pods
+  enabled: false
+  ## @param executorSecurityContext.runAsUser User ID for executor pods
+  runAsUser: 1001
+  ## @param executorSecurityContext.runAsGroup Group ID for executor pods
+  runAsGroup: 1001
+  ## @param executorSecurityContext.fsGroup Filesystem group for executor pods
+  fsGroup: 1001
+  ## @param executorSecurityContext.runAsNonRoot Force executor pods to run as non-root user
+  runAsNonRoot: true
+  ## @param executorSecurityContext.allowPrivilegeEscalation Allow privilege escalation in executor pods
+  allowPrivilegeEscalation: false
+  ## @param executorSecurityContext.readOnlyRootFilesystem Make root filesystem read-only in executor pods
+  readOnlyRootFilesystem: false
+
 ## @param containerSecurityContext.enabled Enabled Digital.ai Release Runner containers' Security Context
 ## @param containerSecurityContext.runAsUser Set Digital.ai Release Runner containers' Security Context runAsUser
 ## @param containerSecurityContext.runAsNonRoot Set Digital.ai Release Runner container's Security Context runAsNonRoot