Skip to content

feat(chart): expose podSecurityContext and securityContext values#1258

Merged
lukasmetzner merged 2 commits into
hetznercloud:mainfrom
vishwakt:feature/chart-security-context
Jul 6, 2026
Merged

feat(chart): expose podSecurityContext and securityContext values#1258
lukasmetzner merged 2 commits into
hetznercloud:mainfrom
vishwakt:feature/chart-security-context

Conversation

@vishwakt

@vishwakt vishwakt commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

What

Closes #1253.

Adds podSecurityContext (pod-level) and securityContext (container-level) values to the Helm chart and wires them into both the Deployment and DaemonSet templates (chart/templates/deployment.yaml, chart/templates/daemonset.yaml).

Secure defaults are shipped, as proposed in the issue, so the controller no longer runs as root with a writable root filesystem out of the box:

podSecurityContext:
  runAsNonRoot: true
  runAsUser: 65532
  seccompProfile:
    type: RuntimeDefault
securityContext:            # container-level
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop: ["ALL"]

Why

This satisfies the Pod Security restricted profile and common lint gates (kube-linter run-as-non-root / no-read-only-root-fs), removing the need for repo-wide lint waivers or post-render kustomize patches on hardened clusters.

Notes

  • readOnlyRootFilesystem: true is safe: the runtime controller does not write to its root filesystem (the only filesystem writes in the repo are in tools/ and internal/testsupport/, neither of which is in the runtime path). No writable emptyDir is needed.
  • The image runs as root (no USER in the Dockerfile), so runAsNonRoot is correctly paired with an explicit runAsUser: 65532.
  • Both blocks are {{- with }}-guarded, so operators can relax or disable them by overriding the values (e.g. set to {}).
  • This changes behavior on upgrade for existing installs (they flip to non-root + read-only root fs). Flagging for release-note visibility.
  • Regenerated chart snapshots (chart/.snapshots/*.yaml) and deploy manifests (deploy/ccm.yaml, deploy/ccm-networks.yaml); helm lint passes.

🤖 Generated with Claude Code

@codecov

codecov Bot commented Jun 25, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.93%. Comparing base (6656e34) to head (9f37319).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1258      +/-   ##
==========================================
- Coverage   70.38%   67.93%   -2.45%     
==========================================
  Files          26       26              
  Lines        2776     2776              
==========================================
- Hits         1954     1886      -68     
- Misses        647      720      +73     
+ Partials      175      170       -5     
Flag Coverage Δ
e2e ?
unit 67.93% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

vishwakt and others added 2 commits July 6, 2026 09:02
Add `podSecurityContext` (pod-level) and `securityContext` (container-level)
values and wire them into both the Deployment and DaemonSet templates.

Secure defaults are provided so the controller no longer runs as root with a
writable root filesystem out of the box, satisfying the Pod Security
"restricted" profile and lint gates such as kube-linter's `run-as-non-root`
and `no-read-only-root-fs`:

- podSecurityContext: runAsNonRoot, runAsUser 65532, RuntimeDefault seccomp
- securityContext: readOnlyRootFilesystem, no privilege escalation, drop ALL

The runtime does not write to its root filesystem, so readOnlyRootFilesystem
is safe. Both blocks are `with`-guarded so operators can relax them by
overriding the values.

Closes hetznercloud#1253

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@lukasmetzner lukasmetzner force-pushed the feature/chart-security-context branch from 4986298 to 9f37319 Compare July 6, 2026 07:02
@lukasmetzner

Copy link
Copy Markdown
Contributor

Looking good. Thanks for the contribution 😊

@lukasmetzner lukasmetzner merged commit ebd8cd4 into hetznercloud:main Jul 6, 2026
4 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Helm chart: expose securityContext/podSecurityContext values — Deployment runs as root with a writable root filesystem

2 participants