Support pod.spec.containers.securityContext specification
#117
Conversation
|
@hashhar sorry to ask you but could you kindly review this, please...? 🙏 |
|
Not a maintainer, but I'm wondering if it makes sense to define a default, restrictive securityContext out-of-the-box. Trino should support running as non-root and without privilege (escalation) requirements. Most, if not all, of the bitnami charts do this, e.g. https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml#L477. |
LittleWat
force-pushed
the
support-containerSecurityContext-specification
branch
2 times, most recently
from
dd5e3ed
to
bf73293
Compare
|
@chgl thank you for your comments! That would be better! Update this PR following the valeriano-manassero's implementation @mosabua sorry to ask you but I fixed the commit and rebased this branch to the latest main branch. Could you review this when you have time, please...? 🙏 |
charts/trino/README.md
Outdated
| @@ -49,6 +49,8 @@ The following table lists the configurable parameters of the Trino chart and the | |||
| | `sidecarContainers` | | `{}` | | |||
| | `securityContext.runAsUser` | | `1000` | | |||
| | `securityContext.runAsGroup` | | `1000` | | |||
| | `containerSecurityContext.allowPrivilegeEscalation` | Controls whether a process can gain more privileges than its parent process. | `false` | | |||
There was a problem hiding this comment.
I think this is generated so you can NOT insert it here .. instead it needs to be a comment in the yaml file itself.. check with other setups and maybe run frigate to confirm
There was a problem hiding this comment.
I generated this README using the command frigate gen . > README.md so it would be okay
LittleWat
force-pushed
the
support-containerSecurityContext-specification
branch
from
bf73293
to
bffbb5c
Compare
|
@mosabua thank you for your review! I have amended the commit to update the description! could you check this again, please...? |
charts/trino/values.yaml
Outdated
| containerSecurityContext: | ||
| allowPrivilegeEscalation: false # Controls whether a process can gain more privileges than its parent process. | ||
| capabilities: | ||
| drop: # List of Linux kernel capabilities that are dropped from every container. You can confirm the options for "capabilities" here: https://man7.org/linux/man-pages/man7/capabilities.7.html Please make sure to remove "CAP_" prefix which the kernel attaches to the names of permissions. |
There was a problem hiding this comment.
Use
List of Linux kernel capabilities that are dropped from every container. Valid values are listed at https://man7.org/linux/man-pages/man7/capabilities.7.html Ensure to remove the "CAP_" prefix which the kernel attaches to the names of permissions.
There was a problem hiding this comment.
oh, sorry. Applied your suggestion! Thank you!
charts/trino/values.yaml
Outdated
| @@ -218,6 +218,13 @@ securityContext: | |||
| runAsUser: 1000 | |||
| runAsGroup: 1000 | |||
|
|
|||
| # -- SecurityContext configuration for containers | |||
| containerSecurityContext: | |||
| allowPrivilegeEscalation: false # Controls whether a process can gain more privileges than its parent process. | |||
There was a problem hiding this comment.
| allowPrivilegeEscalation: false # Controls whether a process can gain more privileges than its parent process. | |
| allowPrivilegeEscalation: false # Control whether a process can gain more privileges than its parent process. |
charts/trino/README.md
Outdated
| @@ -49,6 +49,8 @@ The following table lists the configurable parameters of the Trino chart and the | |||
| | `sidecarContainers` | | `{}` | | |||
| | `securityContext.runAsUser` | | `1000` | | |||
| | `securityContext.runAsGroup` | | `1000` | | |||
| | `containerSecurityContext.allowPrivilegeEscalation` | Controls whether a process can gain more privileges than its parent process. | `false` | | |||
LittleWat
force-pushed
the
support-containerSecurityContext-specification
branch
2 times, most recently
from
e4b9174
to
337b01c
Compare
|
How about keeping all of the security context open to values.yaml EDIT: Ignore you did exactly that |
|
@bond- Thank you for your comment! yes, that's exactly what I did in the first place. But I set the default following the comment in this review by amending the commit 🙇 |
|
@LittleWat please rebase, and I'll review this once the new tests in the CI pass. |
LittleWat
force-pushed
the
support-containerSecurityContext-specification
branch
from
337b01c
to
c51a86d
Compare
|
@nineinchnick thanks! rebased! |
LittleWat
force-pushed
the
support-containerSecurityContext-specification
branch
from
5ca416c
to
0fb7daa
Compare
This PR attempts to close trinodb#116 Following [the valeriano-manassero's implementation](https://github.com/valeriano-manassero/helm-charts/blob/6382a14272927a908bc006d0f1370ba9dffc821f/valeriano-manassero/trino/values.yaml#L467-L471) let me support `pod.spec.containers.securityContext` specification
LittleWat
force-pushed
the
support-containerSecurityContext-specification
branch
from
0fb7daa
to
60045ad
Compare
|
@nineinchnick thank you for your quick review! yes, that would be better! Fixed! |
This PR attempts to close #116