From 97e1bb224b2653dc7fd85c05a9a476df8ea59101 Mon Sep 17 00:00:00 2001 From: "Federico A. Corazza" Date: Sat, 18 Apr 2026 23:36:20 +0200 Subject: [PATCH 1/2] feat(security): add security context support for containers and pod templates --- .../files/nats-box/deployment/container.yaml | 8 +++++++- .../nats-box/deployment/pod-template.yaml | 7 ++++++- .../files/stateful-set/nats-container.yaml | 5 +++++ .../nats/files/stateful-set/pod-template.yaml | 10 ++++++++-- .../stateful-set/prom-exporter-container.yaml | 5 +++++ .../files/stateful-set/reloader-container.yaml | 5 +++++ helm/charts/nats/values.yaml | 18 +++++++++++++++++- 7 files changed, 53 insertions(+), 5 deletions(-) diff --git a/helm/charts/nats/files/nats-box/deployment/container.yaml b/helm/charts/nats/files/nats-box/deployment/container.yaml index 331c7d6a..a88b862b 100644 --- a/helm/charts/nats/files/nats-box/deployment/container.yaml +++ b/helm/charts/nats/files/nats-box/deployment/container.yaml @@ -46,4 +46,10 @@ volumeMounts: {{- end }} resources: - {{- toYaml .Values.natsBox.container.resources | nindent 2 }} \ No newline at end of file + {{- toYaml .Values.natsBox.container.resources | nindent 2 }} + +# security context +{{- with .Values.natsBox.container.securityContext }} +securityContext: +{{- toYaml . | nindent 2 }} +{{- end }} diff --git a/helm/charts/nats/files/nats-box/deployment/pod-template.yaml b/helm/charts/nats/files/nats-box/deployment/pod-template.yaml index 71056bfb..4df91171 100644 --- a/helm/charts/nats/files/nats-box/deployment/pod-template.yaml +++ b/helm/charts/nats/files/nats-box/deployment/pod-template.yaml @@ -9,7 +9,7 @@ spec: # service discovery uses DNS; don't need service env vars enableServiceLinks: false - + {{- with .Values.global.image.pullSecretNames }} imagePullSecrets: {{- range . }} @@ -42,3 +42,8 @@ spec: secret: secretName: {{ .secretName | quote }} {{- end }} + # security context + {{- with .Values.natsBox.podTemplate.securityContext }} + securityContext: + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/helm/charts/nats/files/stateful-set/nats-container.yaml b/helm/charts/nats/files/stateful-set/nats-container.yaml index 8f8646fc..d0885d0f 100644 --- a/helm/charts/nats/files/stateful-set/nats-container.yaml +++ b/helm/charts/nats/files/stateful-set/nats-container.yaml @@ -107,3 +107,8 @@ volumeMounts: resources: {{- toYaml .Values.container.resources | nindent 2 }} + +{{- with .Values.container.securityContext }} +securityContext: + {{- toYaml . | nindent 2 }} +{{- end }} diff --git a/helm/charts/nats/files/stateful-set/pod-template.yaml b/helm/charts/nats/files/stateful-set/pod-template.yaml index 9832ba34..8d88fbd9 100644 --- a/helm/charts/nats/files/stateful-set/pod-template.yaml +++ b/helm/charts/nats/files/stateful-set/pod-template.yaml @@ -28,7 +28,7 @@ spec: # service discovery uses DNS; don't need service env vars enableServiceLinks: false - + {{- with .Values.global.image.pullSecretNames }} imagePullSecrets: {{- range . }} @@ -69,7 +69,13 @@ spec: - {{ merge (dict "topologyKey" $k "labelSelector" (dict "matchLabels" (include "nats.selectorLabels" $ | fromYaml))) $v | toYaml | nindent 4 }} {{- end }} {{- end}} - + # terminationGracePeriodSeconds determines how long to wait for graceful shutdown # this should be at least `lameDuckGracePeriod` + 20s shutdown overhead terminationGracePeriodSeconds: 60 + + # security context + {{- with .Values.podTemplate.securityContext }} + securityContext: + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/helm/charts/nats/files/stateful-set/prom-exporter-container.yaml b/helm/charts/nats/files/stateful-set/prom-exporter-container.yaml index 75f8a77c..f3cdae0c 100644 --- a/helm/charts/nats/files/stateful-set/prom-exporter-container.yaml +++ b/helm/charts/nats/files/stateful-set/prom-exporter-container.yaml @@ -29,3 +29,8 @@ args: {{- end }} {{- $monitorProto := ternary "https" "http" .Values.config.monitor.tls.enabled }} - {{ $monitorProto }}://{{ .Values.promExporter.monitorDomain }}:{{ .Values.config.monitor.port }}/ + +{{- with .Values.promExporter.securityContext }} +securityContext: + {{- toYaml . | nindent 2 }} +{{- end }} diff --git a/helm/charts/nats/files/stateful-set/reloader-container.yaml b/helm/charts/nats/files/stateful-set/reloader-container.yaml index 96722045..f2bd8cc1 100644 --- a/helm/charts/nats/files/stateful-set/reloader-container.yaml +++ b/helm/charts/nats/files/stateful-set/reloader-container.yaml @@ -25,3 +25,8 @@ volumeMounts: {{- end }} {{- end }} {{- end }} + +{{- with .Values.reloader.securityContext }} +securityContext: + {{- toYaml . | nindent 2 }} +{{- end }} diff --git a/helm/charts/nats/values.yaml b/helm/charts/nats/values.yaml index df9cfdef..17a84152 100644 --- a/helm/charts/nats/values.yaml +++ b/helm/charts/nats/values.yaml @@ -365,6 +365,9 @@ container: # cpu: 100m # memory: 128Mi + # security context + securityContext: {} + ############################################################ # stateful set -> pod template -> reloader container ############################################################ @@ -386,6 +389,9 @@ reloader: natsVolumeMountPrefixes: - /etc/ + # security context + securityContext: {} + # merge or patch the container # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core merge: {} @@ -412,6 +418,9 @@ promExporter: # env var map, see nats.env for an example env: {} + # security context + securityContext: {} + # merge or patch the container # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core merge: {} @@ -494,6 +503,9 @@ podTemplate: # topologySpreadConstraints: {} + # security context + securityContext: {} + # merge or patch the pod template # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core merge: {} @@ -594,7 +606,8 @@ natsBox: registry: digest: fullImageName: - resources: {} + resources: {} + securityContext: {} # env var map, see nats.env for an example env: {} @@ -619,6 +632,9 @@ natsBox: # deployment -> pod template podTemplate: + # security context + securityContext: {} + # merge or patch the pod template # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core merge: {} From 6e9882de9bcce9d78258d76e30978b4e36c7bbdc Mon Sep 17 00:00:00 2001 From: "Federico A. Corazza" <20555025+facorazza@users.noreply.github.com> Date: Sat, 18 Apr 2026 23:42:04 +0200 Subject: [PATCH 2/2] Update helm/charts/nats/files/nats-box/deployment/container.yaml Co-authored-by: synadia-claude-reviewer[bot] <265638981+synadia-claude-reviewer[bot]@users.noreply.github.com> --- helm/charts/nats/files/nats-box/deployment/container.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/charts/nats/files/nats-box/deployment/container.yaml b/helm/charts/nats/files/nats-box/deployment/container.yaml index a88b862b..f81ad011 100644 --- a/helm/charts/nats/files/nats-box/deployment/container.yaml +++ b/helm/charts/nats/files/nats-box/deployment/container.yaml @@ -51,5 +51,5 @@ resources: # security context {{- with .Values.natsBox.container.securityContext }} securityContext: -{{- toYaml . | nindent 2 }} + {{- toYaml . | nindent 2 }} {{- end }}