diff --git a/docs/pages/reference/helm-reference/teleport-cluster.mdx b/docs/pages/reference/helm-reference/teleport-cluster.mdx index 781d1a110835d..1f6653f9e1142 100644 --- a/docs/pages/reference/helm-reference/teleport-cluster.mdx +++ b/docs/pages/reference/helm-reference/teleport-cluster.mdx @@ -1921,6 +1921,23 @@ See [the GitHub PR](https://github.com/gravitational/teleport/pull/36251) for te memory: 2Gi ``` +## `podSecurityContext` + +| Type | Default value | +|----------|---------------| +| `object` | `{}` | + +[Kubernetes reference](https://kubernetes.io/docs/concepts/security/pod-security-standards/) + +The `podSecurityContext` applies to the main Teleport pods. + +`values.yaml` example: + + ```yaml + podSecurityContext: + fsGroup: 65532 + ``` + ## `securityContext` | Type | Default value | diff --git a/examples/chart/teleport-cluster/.lint/pod-security-context-empty.yaml b/examples/chart/teleport-cluster/.lint/pod-security-context-empty.yaml new file mode 100644 index 0000000000000..14ff54654e53b --- /dev/null +++ b/examples/chart/teleport-cluster/.lint/pod-security-context-empty.yaml @@ -0,0 +1 @@ +clusterName: helm-lint diff --git a/examples/chart/teleport-cluster/.lint/pod-security-context.yaml b/examples/chart/teleport-cluster/.lint/pod-security-context.yaml new file mode 100644 index 0000000000000..50710c44fa3ac --- /dev/null +++ b/examples/chart/teleport-cluster/.lint/pod-security-context.yaml @@ -0,0 +1,7 @@ +clusterName: helm-lint +podSecurityContext: + fsGroup: 99 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 99 + runAsNonRoot: true + runAsUser: 99 diff --git a/examples/chart/teleport-cluster/templates/auth/deployment.yaml b/examples/chart/teleport-cluster/templates/auth/deployment.yaml index 699d1353ca847..e5d0d3c4d1df9 100644 --- a/examples/chart/teleport-cluster/templates/auth/deployment.yaml +++ b/examples/chart/teleport-cluster/templates/auth/deployment.yaml @@ -326,6 +326,9 @@ spec: {{- end }} {{- if $auth.priorityClassName }} priorityClassName: {{ $auth.priorityClassName }} +{{- end }} +{{- if $auth.podSecurityContext }} + securityContext: {{- toYaml $auth.podSecurityContext | nindent 8 }} {{- end }} serviceAccountName: {{ include "teleport-cluster.auth.serviceAccountName" . }} terminationGracePeriodSeconds: {{ $auth.terminationGracePeriodSeconds }} diff --git a/examples/chart/teleport-cluster/templates/proxy/deployment.yaml b/examples/chart/teleport-cluster/templates/proxy/deployment.yaml index 0011b4cc743ab..0c24f6a8c39c6 100644 --- a/examples/chart/teleport-cluster/templates/proxy/deployment.yaml +++ b/examples/chart/teleport-cluster/templates/proxy/deployment.yaml @@ -305,6 +305,9 @@ spec: {{- end }} {{- if $proxy.priorityClassName }} priorityClassName: {{ $proxy.priorityClassName }} +{{- end }} +{{- if $proxy.podSecurityContext }} + securityContext: {{- toYaml $proxy.podSecurityContext | nindent 8 }} {{- end }} serviceAccountName: {{ include "teleport-cluster.proxy.serviceAccountName" . }} terminationGracePeriodSeconds: {{ $proxy.terminationGracePeriodSeconds }} diff --git a/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml b/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml index d838ca97fbd2d..a5245620d2358 100644 --- a/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml +++ b/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml @@ -126,6 +126,35 @@ tests: - matchSnapshot: path: spec.template.spec + - it: should set podSecurityContext when set in values + template: auth/deployment.yaml + values: + - ../.lint/pod-security-context.yaml + asserts: + - equal: + path: spec.template.spec.securityContext.fsGroup + value: 99 + - equal: + path: spec.template.spec.securityContext.fsGroupChangePolicy + value: OnRootMismatch + - equal: + path: spec.template.spec.securityContext.runAsGroup + value: 99 + - equal: + path: spec.template.spec.securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.securityContext.runAsUser + value: 99 + + - it: should not set podSecurityContext when is empty object (default value) + template: auth/deployment.yaml + values: + - ../.lint/pod-security-context-empty.yaml + asserts: + - isNull: + path: spec.template.spec.securityContext + - it: should set securityContext when set in values template: auth/deployment.yaml values: diff --git a/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml b/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml index 2d6dda92a5a0a..7e6b3ce265a2b 100644 --- a/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml +++ b/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml @@ -164,6 +164,35 @@ tests: - matchSnapshot: path: spec.template.spec + - it: should set podSecurityContext when set in values + template: proxy/deployment.yaml + values: + - ../.lint/pod-security-context.yaml + asserts: + - equal: + path: spec.template.spec.securityContext.fsGroup + value: 99 + - equal: + path: spec.template.spec.securityContext.fsGroupChangePolicy + value: OnRootMismatch + - equal: + path: spec.template.spec.securityContext.runAsGroup + value: 99 + - equal: + path: spec.template.spec.securityContext.runAsNonRoot + value: true + - equal: + path: spec.template.spec.securityContext.runAsUser + value: 99 + + - it: should not set podSecurityContext when is empty object (default value) + template: proxy/deployment.yaml + values: + - ../.lint/pod-security-context-empty.yaml + asserts: + - isNull: + path: spec.template.spec.securityContext + - it: should set securityContext when set in values template: proxy/deployment.yaml values: diff --git a/examples/chart/teleport-cluster/values.schema.json b/examples/chart/teleport-cluster/values.schema.json index 675f9b5750636..657ae941d592b 100644 --- a/examples/chart/teleport-cluster/values.schema.json +++ b/examples/chart/teleport-cluster/values.schema.json @@ -943,6 +943,11 @@ "type": "object", "default": {} }, + "podSecurityContext": { + "$id": "#/properties/podSecurityContext", + "type": "object", + "default": {} + }, "securityContext": { "$id": "#/properties/securityContext", "type": "object", diff --git a/examples/chart/teleport-cluster/values.yaml b/examples/chart/teleport-cluster/values.yaml index 5212a4b5e5e47..b31561a705e2d 100644 --- a/examples/chart/teleport-cluster/values.yaml +++ b/examples/chart/teleport-cluster/values.yaml @@ -701,6 +701,10 @@ resources: {} # limits: # memory: "2Gi" +# Pod security context for any pods created by the chart +podSecurityContext: {} + # fsGroup: 65532 + # Security context to add to the container securityContext: {} # runAsUser: 99