diff --git a/deploy/charts/version-checker/README.md b/deploy/charts/version-checker/README.md
index 30816dbe..4b95ab0e 100644
--- a/deploy/charts/version-checker/README.md
+++ b/deploy/charts/version-checker/README.md
@@ -40,6 +40,7 @@ A Helm chart for version-checker
| livenessProbe.initialDelaySeconds | int | `3` | Number of seconds after the container has started before liveness probes are initiated. |
| livenessProbe.periodSeconds | int | `3` | How often (in seconds) to perform the livenessProbe. |
| nodeSelector | object | `{}` | Configure nodeSelector |
+| podSecurityContext | object | `{}` | Set pod-level security context |
| prometheus.enabled | bool | `false` | Deploy a Prometheus-Operator Prometheus Object to collect version-checker metrics |
| prometheus.replicas | int | `1` | Number of Prometheus replicas to create |
| prometheus.serviceAccountName | string | `"prometheus"` | ServiceAccount for new Prometheus Object |
@@ -51,6 +52,7 @@ A Helm chart for version-checker
| readinessProbe.periodSeconds | int | `3` | How often (in seconds) to perform the readinessProbe. |
| replicaCount | int | `1` | Replica Count for version-checker |
| resources | object | `{}` | Setup version-checkers resource requests/limits |
+| securityContext | object | `{}` | Set container-level security context |
| selfhosted | []{name: "", host: "", username:"", password:"", token:""}] | `[]` | Setup a number of SelfHosted Repositories and their credentials |
| service.annotations | object | `{}` | Additional annotations to add to the service |
| service.labels | object | `{}` | Additional labels to add to the service |
diff --git a/deploy/charts/version-checker/templates/deployment.yaml b/deploy/charts/version-checker/templates/deployment.yaml
index f670b183..753d3fb5 100644
--- a/deploy/charts/version-checker/templates/deployment.yaml
+++ b/deploy/charts/version-checker/templates/deployment.yaml
@@ -54,6 +54,10 @@ spec:
- "--test-all-containers={{.Values.versionChecker.testAllContainers}}"
resources:
{{- toYaml .Values.resources | nindent 12 }}
+ {{- with .Values.securityContext }}
+ securityContext:
+ {{- toYaml . | nindent 10 }}
+ {{- end }}
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
{{- omit .Values.livenessProbe "enabled" | toYaml | nindent 10}}
@@ -202,7 +206,10 @@ spec:
{{- if .Values.env }}
{{- toYaml .Values.env | nindent 8 }}
{{- end }}
-
+ {{- with .Values.podSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
volumes:
{{- if $secretEnabled }}
- name: {{ include "version-checker.name" . }}
diff --git a/deploy/charts/version-checker/tests/deployment_test.yaml b/deploy/charts/version-checker/tests/deployment_test.yaml
index 14c4c4dc..029416a0 100644
--- a/deploy/charts/version-checker/tests/deployment_test.yaml
+++ b/deploy/charts/version-checker/tests/deployment_test.yaml
@@ -425,3 +425,21 @@ tests:
- equal:
path: spec.template.metadata.annotations["foo"]
value: bar
+
+ - it: (Pod-)SecurityContext is reflected
+ set:
+ podSecurityContext:
+ runAsUser: 65534
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ asserts:
+ - equal:
+ path: spec.template.spec.securityContext
+ value:
+ runAsUser: 65534
+ - equal:
+ path: spec.template.spec.containers[0].securityContext
+ value:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
diff --git a/deploy/charts/version-checker/values.yaml b/deploy/charts/version-checker/values.yaml
index 813513f4..de0e7a57 100644
--- a/deploy/charts/version-checker/values.yaml
+++ b/deploy/charts/version-checker/values.yaml
@@ -118,6 +118,21 @@ resources:
# memory: 128Mi
#
+# -- Set container-level security context
+securityContext: {}
+ # allowPrivilegeEscalation: false
+ # capabilities:
+ # drop:
+ # - ALL
+ # readOnlyRootFilesystem: true
+ # runAsNonRoot: true
+ # runAsUser: 65534
+ # seccompProfile:
+ # type: RuntimeDefault
+
+# -- Set pod-level security context
+podSecurityContext: {}
+
# Configure the readiness probe for version-checker
readinessProbe:
# -- Enable/Disable the setting of a readinessProbe