diff --git a/addons/kafka/templates/cmpd-broker-27.yaml b/addons/kafka/templates/cmpd-broker-27.yaml index cfec574c6..46889fc86 100644 --- a/addons/kafka/templates/cmpd-broker-27.yaml +++ b/addons/kafka/templates/cmpd-broker-27.yaml @@ -117,16 +117,18 @@ spec: namespace: {{ .Release.Namespace }} defaultMode: 0755 runtime: + {{- if .Values.securityContext }} securityContext: - fsGroup: 1001 + {{- toYaml .Values.securityContext | nindent 6 }} + {{- end }} containers: - name: kafka image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.kafka.repository }}:{{ default .Values.images.kafka2.tag }} imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }} + {{- if .Values.container.securityContext }} securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 1001 + {{- toYaml .Values.container.securityContext | nindent 10 }} + {{- end }} command: - /scripts/kafka-server-setup.sh env: @@ -228,9 +230,10 @@ spec: - name: jmx-exporter image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.jmxExporter.repository }}:{{ .Values.images.jmxExporter.tag }} imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }} + {{- if .Values.exporter.securityContext }} securityContext: - runAsNonRoot: true - runAsUser: 1001 + {{- toYaml .Values.exporter.securityContext | nindent 10 }} + {{- end }} command: - java args: diff --git a/addons/kafka/templates/cmpd-broker.yaml b/addons/kafka/templates/cmpd-broker.yaml index 3a0a13888..5f97184d1 100644 --- a/addons/kafka/templates/cmpd-broker.yaml +++ b/addons/kafka/templates/cmpd-broker.yaml @@ -113,16 +113,18 @@ spec: namespace: {{ .Release.Namespace }} defaultMode: 0755 runtime: + {{- if .Values.securityContext }} securityContext: - fsGroup: 1001 + {{- toYaml .Values.securityContext | nindent 6 }} + {{- end }} containers: - name: kafka image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.kafka.repository }}:{{ default .Chart.AppVersion .Values.images.kafka.tag }} imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }} + {{- if .Values.container.securityContext }} securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 1001 + {{- toYaml .Values.container.securityContext | nindent 10 }} + {{- end }} command: - /scripts/kafka-server-setup.sh env: @@ -228,9 +230,10 @@ spec: - name: jmx-exporter image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.jmxExporter.repository }}:{{ .Values.images.jmxExporter.tag }} imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }} + {{- if .Values.exporter.securityContext }} securityContext: - runAsNonRoot: true - runAsUser: 1001 + {{- toYaml .Values.exporter.securityContext | nindent 10 }} + {{- end }} command: - java args: diff --git a/addons/kafka/templates/cmpd-combine.yaml b/addons/kafka/templates/cmpd-combine.yaml index c3ba5c2b0..a1b1fe668 100644 --- a/addons/kafka/templates/cmpd-combine.yaml +++ b/addons/kafka/templates/cmpd-combine.yaml @@ -104,16 +104,18 @@ spec: namespace: {{ .Release.Namespace }} defaultMode: 0755 runtime: + {{- if .Values.securityContext }} securityContext: - fsGroup: 1001 + {{- toYaml .Values.securityContext | nindent 6 }} + {{- end }} containers: - name: kafka image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.kafka.repository }}:{{ default .Chart.AppVersion .Values.images.kafka.tag }} imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }} + {{- if .Values.container.securityContext }} securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 1001 + {{- toYaml .Values.container.securityContext | nindent 10 }} + {{- end }} command: - /scripts/kafka-server-setup.sh env: @@ -219,9 +221,10 @@ spec: - name: jmx-exporter image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.jmxExporter.repository }}:{{ .Values.images.jmxExporter.tag }} imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }} + {{- if .Values.exporter.securityContext }} securityContext: - runAsNonRoot: true - runAsUser: 1001 + {{- toYaml .Values.exporter.securityContext | nindent 10 }} + {{- end }} command: - java args: diff --git a/addons/kafka/templates/cmpd-controller.yaml b/addons/kafka/templates/cmpd-controller.yaml index d22db1308..a39bf1745 100644 --- a/addons/kafka/templates/cmpd-controller.yaml +++ b/addons/kafka/templates/cmpd-controller.yaml @@ -61,16 +61,18 @@ spec: namespace: {{ .Release.Namespace }} defaultMode: 0755 runtime: + {{- if .Values.securityContext }} securityContext: - fsGroup: 1001 + {{- toYaml .Values.securityContext | nindent 6 }} + {{- end }} containers: - name: kafka image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.kafka.repository }}:{{ default .Chart.AppVersion .Values.images.kafka.tag }} imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }} + {{- if .Values.container.securityContext }} securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 1001 + {{- toYaml .Values.container.securityContext | nindent 10 }} + {{- end }} command: - /scripts/kafka-server-setup.sh env: @@ -155,9 +157,10 @@ spec: - name: jmx-exporter image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.jmxExporter.repository }}:{{ .Values.images.jmxExporter.tag }} imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }} + {{- if .Values.exporter.securityContext }} securityContext: - runAsNonRoot: true - runAsUser: 1001 + {{- toYaml .Values.exporter.securityContext | nindent 10 }} + {{- end }} command: - java args: diff --git a/addons/kafka/templates/cmpd-exporter.yaml b/addons/kafka/templates/cmpd-exporter.yaml index 32a5adead..c049d5e61 100644 --- a/addons/kafka/templates/cmpd-exporter.yaml +++ b/addons/kafka/templates/cmpd-exporter.yaml @@ -43,15 +43,18 @@ spec: namespace: {{ .Release.Namespace }} defaultMode: 0755 runtime: + {{- if .Values.securityContext }} securityContext: - fsGroup: 1001 + {{- toYaml .Values.securityContext | nindent 6 }} + {{- end }} containers: - name: kafka-exporter image: {{ .Values.images.registry | default "docker.io" }}/{{ .Values.images.kafkaExporter.repository }}:{{ .Values.images.kafkaExporter.tag }} imagePullPolicy: {{ default "IfNotPresent" .Values.images.pullPolicy }} + {{- if .Values.exporter.securityContext }} securityContext: - runAsNonRoot: true - runAsUser: 1001 + {{- toYaml .Values.exporter.securityContext | nindent 8 }} + {{- end }} env: - name: SERVICE_PORT value: "9308" diff --git a/addons/kafka/values.yaml b/addons/kafka/values.yaml index 83a7a9ab7..461b32260 100644 --- a/addons/kafka/values.yaml +++ b/addons/kafka/values.yaml @@ -64,3 +64,20 @@ storageClassParameters: metadata: awsEBSVolumeType: io2 awsEBSEnableBlockExpress: false + +## pod security context settings +securityContext: + fsGroup: 1001 + +## container security context settings +container: + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1001 + +## exporter security context settings +exporter: + securityContext: + runAsNonRoot: true + runAsUser: 1001 \ No newline at end of file