diff --git a/helm/mysql-operator/templates/deployment.yaml b/helm/mysql-operator/templates/deployment.yaml index ed71f83e..3906be81 100644 --- a/helm/mysql-operator/templates/deployment.yaml +++ b/helm/mysql-operator/templates/deployment.yaml @@ -39,8 +39,10 @@ spec: labels: {{- include "mysql-operator.deployment.podLabels" . | nindent 8 }} spec: + {{- with .Values.podSecurityContext }} securityContext: - runAsNonRoot: true +{{- toYaml . | nindent 8 }} + {{- end }} {{- if .Values.image.pullSecrets.enabled }} imagePullSecrets: - name: {{ .Values.image.pullSecrets.secretName }} @@ -120,15 +122,10 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} + {{- with .Values.containerSecurityContext }} securityContext: - capabilities: - drop: - - ALL - runAsUser: 2 - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true +{{- toYaml . | nindent 12 }} + {{- end }} volumes: - name: mysqlsh-home emptyDir: {} diff --git a/helm/mysql-operator/values.yaml b/helm/mysql-operator/values.yaml index 243b70ce..a54e9785 100644 --- a/helm/mysql-operator/values.yaml +++ b/helm/mysql-operator/values.yaml @@ -17,6 +17,27 @@ envs: replicas: 1 +# Pod-level security context for the mysql-operator Pod. +# Required for Kubernetes restricted Pod Security Standard. +podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + +# Container-level security context for the mysql-operator container. +# Required for Kubernetes restricted Pod Security Standard. +containerSecurityContext: + capabilities: + drop: + - ALL + runAsUser: 2 + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + #deployment: #name: mysql-operator ## deployment.name is part of the operator's persistent identity.