jedcunningham commented on code in PR #31865:
URL: https://github.com/apache/airflow/pull/31865#discussion_r1238489099
##########
chart/templates/_helpers.yaml:
##########
@@ -864,6 +864,31 @@ capabilities:
{{- end -}}
{{- end -}}
+ {{/*
+ Set the default value for external container securityContext(redis and
statsd).
+ If no value is passed for <node>.securityContexts.container, defaults to
deny privileges escallation and dropping all POSIX capabilities.
+
+ +-----------------------------------+
+-----------------------------------------------------------+
+ | <node>.securityContexts.container | -> | allowPrivilegesEscalation:
false, capabilities.drop: [ALL]|
+ +-----------------------------------+
+-----------------------------------------------------------+
+
+
+ The template can be called like so:
+ include "externalContainerSecurityContext" .Values.statsd
+
+ Where `.` is the global variables scope and `.Values.webserver` the local
variables scope for the webserver template.
Review Comment:
```suggestion
```
##########
tests/charts/security/test_security_context.py:
##########
@@ -210,6 +210,45 @@ def test_gitsync_sidecar_and_init_container(self):
docs[index],
)
+ # Test securityContexts for main containers
+ def test_global_security_context(self):
+ ctx_value_pod = {"runAsUser": 7000}
+ ctx_value_container = {"allowPrivilegeEscalation": False}
+ docs = render_chart(
+ values={"securityContexts": {"containers": ctx_value_container,
"pod": ctx_value_pod}},
+ show_only=[
+ "templates/flower/flower-deployment.yaml",
+ "templates/scheduler/scheduler-deployment.yaml",
+ "templates/webserver/webserver-deployment.yaml",
+ "templates/workers/worker-deployment.yaml",
+ "templates/jobs/create-user-job.yaml",
+ "templates/jobs/migrate-database-job.yaml",
+ "templates/triggerer/triggerer-deployment.yaml",
+ "templates/statsd/statsd-deployment.yaml",
+ "templates/redis/redis-statefulset.yaml",
+ ],
+ )
+
+ for index in range(len(docs) - 2):
+ assert ctx_value_container == jmespath.search(
+ "spec.template.spec.containers[0].securityContext", docs[index]
+ )
+ assert ctx_value_pod ==
jmespath.search("spec.template.spec.securityContext", docs[index])
+ # Global security context is not propagated to redis and statsd, so we
test default value
Review Comment:
```suggestion
# Global security context is not propagated to redis and statsd, so
we test default value
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
