feat: custom security context for kafka addon (#1337)

Co-authored-by: lancelot1989 <[email protected]>
apecloud · Jan 22, 2025 · ec44453 · ec44453
1 parent 19d658a
commit ec44453
Show file tree

Hide file tree

Showing 6 changed files with 59 additions and 27 deletions.
diff --git a/addons/kafka/templates/cmpd-broker-27.yaml b/addons/kafka/templates/cmpd-broker-27.yaml
@@ -117,16 +117,18 @@ spec:
       namespace: {{ .Release.Namespace }}
       defaultMode: 0755
   runtime:
+    {{- if .Values.securityContext }}
     securityContext:
-      fsGroup: 1001
+      {{- toYaml .Values.securityContext | nindent 6 }}
+    {{- end }}
     containers:
       - name: kafka
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.kafka.repository }}:{{ default .Values.images.kafka2.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
+        {{- if .Values.container.securityContext }}
         securityContext:
-          allowPrivilegeEscalation: false
-          runAsNonRoot: true
-          runAsUser: 1001
+          {{- toYaml .Values.container.securityContext | nindent 10 }}
+        {{- end }}
         command:
           - /scripts/kafka-server-setup.sh
         env:
@@ -228,9 +230,10 @@ spec:
       - name: jmx-exporter
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.jmxExporter.repository }}:{{ .Values.images.jmxExporter.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
+        {{- if .Values.exporter.securityContext }}
         securityContext:
-          runAsNonRoot: true
-          runAsUser: 1001
+          {{- toYaml .Values.exporter.securityContext | nindent 10 }}
+        {{- end }}
         command:
           - java
         args:

diff --git a/addons/kafka/templates/cmpd-broker.yaml b/addons/kafka/templates/cmpd-broker.yaml
@@ -113,16 +113,18 @@ spec:
       namespace: {{ .Release.Namespace }}
       defaultMode: 0755
   runtime:
+    {{- if .Values.securityContext }}
     securityContext:
-      fsGroup: 1001
+      {{- toYaml .Values.securityContext | nindent 6 }}
+    {{- end }}
     containers:
       - name: kafka
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.kafka.repository }}:{{ default .Chart.AppVersion .Values.images.kafka.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
+        {{- if .Values.container.securityContext }}
         securityContext:
-          allowPrivilegeEscalation: false
-          runAsNonRoot: true
-          runAsUser: 1001
+          {{- toYaml .Values.container.securityContext | nindent 10 }}
+        {{- end }}
         command:
           - /scripts/kafka-server-setup.sh
         env:
@@ -228,9 +230,10 @@ spec:
       - name: jmx-exporter
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.jmxExporter.repository }}:{{ .Values.images.jmxExporter.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
+        {{- if .Values.exporter.securityContext }}
         securityContext:
-          runAsNonRoot: true
-          runAsUser: 1001
+          {{- toYaml .Values.exporter.securityContext | nindent 10 }}
+        {{- end }}
         command:
           - java
         args:

diff --git a/addons/kafka/templates/cmpd-combine.yaml b/addons/kafka/templates/cmpd-combine.yaml
@@ -104,16 +104,18 @@ spec:
       namespace: {{ .Release.Namespace }}
       defaultMode: 0755
   runtime:
+    {{- if .Values.securityContext }}
     securityContext:
-      fsGroup: 1001
+      {{- toYaml .Values.securityContext | nindent 6 }}
+    {{- end }}
     containers:
       - name: kafka
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.kafka.repository }}:{{ default .Chart.AppVersion .Values.images.kafka.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
+        {{- if .Values.container.securityContext }}
         securityContext:
-          allowPrivilegeEscalation: false
-          runAsNonRoot: true
-          runAsUser: 1001
+          {{- toYaml .Values.container.securityContext | nindent 10 }}
+        {{- end }}
         command:
           - /scripts/kafka-server-setup.sh
         env:
@@ -219,9 +221,10 @@ spec:
       - name: jmx-exporter
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.jmxExporter.repository }}:{{ .Values.images.jmxExporter.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
+        {{- if .Values.exporter.securityContext }}
         securityContext:
-          runAsNonRoot: true
-          runAsUser: 1001
+          {{- toYaml .Values.exporter.securityContext | nindent 10 }}
+        {{- end }}
         command:
           - java
         args:

diff --git a/addons/kafka/templates/cmpd-controller.yaml b/addons/kafka/templates/cmpd-controller.yaml
@@ -61,16 +61,18 @@ spec:
       namespace: {{ .Release.Namespace }}
       defaultMode: 0755
   runtime:
+    {{- if .Values.securityContext }}
     securityContext:
-      fsGroup: 1001
+      {{- toYaml .Values.securityContext | nindent 6 }}
+    {{- end }}
     containers:
       - name: kafka
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.kafka.repository }}:{{ default .Chart.AppVersion .Values.images.kafka.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
+        {{- if .Values.container.securityContext }}
         securityContext:
-          allowPrivilegeEscalation: false
-          runAsNonRoot: true
-          runAsUser: 1001
+          {{- toYaml .Values.container.securityContext | nindent 10 }}
+        {{- end }}
         command:
           - /scripts/kafka-server-setup.sh
         env:
@@ -155,9 +157,10 @@ spec:
       - name: jmx-exporter
         image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.jmxExporter.repository }}:{{ .Values.images.jmxExporter.tag }}
         imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
+        {{- if .Values.exporter.securityContext }}
         securityContext:
-          runAsNonRoot: true
-          runAsUser: 1001
+          {{- toYaml .Values.exporter.securityContext | nindent 10 }}
+        {{- end }}
         command:
           - java
         args:

diff --git a/addons/kafka/templates/cmpd-exporter.yaml b/addons/kafka/templates/cmpd-exporter.yaml
@@ -43,15 +43,18 @@ spec:
     namespace: {{ .Release.Namespace }}
     defaultMode: 0755
   runtime:
+    {{- if .Values.securityContext }}
     securityContext:
-      fsGroup: 1001
+      {{- toYaml .Values.securityContext | nindent 6 }}
+    {{- end }}
     containers:
     - name: kafka-exporter
       image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.kafkaExporter.repository }}:{{ .Values.images.kafkaExporter.tag }}
       imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }}
+      {{- if .Values.exporter.securityContext }}
       securityContext:
-        runAsNonRoot: true
-        runAsUser: 1001
+        {{- toYaml .Values.exporter.securityContext | nindent 8 }}
+      {{- end }}
       env:
         - name: SERVICE_PORT
           value: "9308"

diff --git a/addons/kafka/values.yaml b/addons/kafka/values.yaml
@@ -64,3 +64,20 @@ storageClassParameters:
   metadata:
     awsEBSVolumeType: io2
     awsEBSEnableBlockExpress: false
+
+## pod security context settings
+securityContext:
+  fsGroup: 1001
+
+## container security context settings
+container:
+  securityContext:
+    allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    runAsUser: 1001
+
+## exporter security context settings
+exporter:
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1001