add:(admission-webhooks) ability to set securityContext for job-containers createSecret and patchWebhook (#9186)

Signed-off-by: ybelMekk <youssef.bel.mekki@nav.no> Signed-off-by: ybelMekk <youssef.bel.mekki@nav.no>
2022-10-25 23:14:36 +02:00 · 2022-10-25 23:14:36 +02:00 · ac1a3363bd
commit ac1a3363bd
parent a383cfc551
4 changed files with 12 additions and 4 deletions
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@ -242,6 +242,7 @@ Kubernetes: `>=1.20.0-0`
 | controller.admissionWebhooks.annotations | object | `{}` |  |
 | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` |  |
 | controller.admissionWebhooks.createSecretJob.resources | object | `{}` |  |
+| controller.admissionWebhooks.createSecretJob.securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | controller.admissionWebhooks.enabled | bool | `true` |  |
 | controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
@ -266,6 +267,7 @@ Kubernetes: `>=1.20.0-0`
 | controller.admissionWebhooks.patch.securityContext.runAsUser | int | `2000` |  |
 | controller.admissionWebhooks.patch.tolerations | list | `[]` |  |
 | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` |  |
+| controller.admissionWebhooks.patchWebhookJob.securityContext.allowPrivilegeEscalation | bool | `false` |  |
 | controller.admissionWebhooks.port | int | `8443` |  |
 | controller.admissionWebhooks.service.annotations | object | `{}` |  |
 | controller.admissionWebhooks.service.externalIPs | list | `[]` |  |
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
@ -59,8 +59,9 @@ spec:
          {{- if .Values.controller.admissionWebhooks.extraEnvs }}
            {{- toYaml .Values.controller.admissionWebhooks.extraEnvs | nindent 12 }}
          {{- end }}
-          securityContext:
-            allowPrivilegeEscalation: false
+          {{- if .Values.controller.admissionWebhooks.createSecretJob.securityContext }}
+          securityContext: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.securityContext | nindent 12 }}
+          {{- end }}
          {{- if .Values.controller.admissionWebhooks.createSecretJob.resources }}
          resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
          {{- end }}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@ -61,8 +61,9 @@ spec:
          {{- if .Values.controller.admissionWebhooks.extraEnvs }}
            {{- toYaml .Values.controller.admissionWebhooks.extraEnvs | nindent 12 }}
          {{- end }}
-          securityContext:
-            allowPrivilegeEscalation: false
+          {{- if .Values.controller.admissionWebhooks.patchWebhookJob.securityContext }}
+          securityContext: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.securityContext | nindent 12 }}
+          {{- end }}
          {{- if .Values.controller.admissionWebhooks.patchWebhookJob.resources }}
          resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }}
          {{- end }}
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@ -627,6 +627,8 @@ controller:
      type: ClusterIP

    createSecretJob:
+      securityContext:
+        allowPrivilegeEscalation: false
      resources: {}
        # limits:
        #   cpu: 10m
@ -636,6 +638,8 @@ controller:
        #   memory: 20Mi

    patchWebhookJob:
+      securityContext:
+        allowPrivilegeEscalation: false
      resources: {}

    patch: