fix: add securityContext to kratos init containers (#622)

Author: scthi

README.md

@@ -22,12 +22,12 @@ You can test and develop charts locally using
 To test a chart locally without applying it to kubernetes, do:
 
 ```sh
-$ helm install --debug --dry-run .
+$ helm install --debug --dry-run <name> .
 ```
 
 ```sh
 $ name=<name>
-$ helm install --name $name .
+$ helm install $name .
 $ helm upgrade $name .
 ```
 
@@ -67,8 +67,8 @@ To run helm test, do:
 
 ```sh
 $ helm lint .
-$ helm install .
-$ helm test --cleanup <name>
+$ helm install <name> .
+$ helm test <name>
 ```
 
 ### Remove all releases

hacks/values/kratos.yaml

@@ -23,6 +23,13 @@ kratos:
       - "--yes"
       - "--config"
       - "/etc/config/kratos.yaml"
+    resources:
+      limits:
+        cpu: 100m
+        memory: 128Mi
+      requests:
+        cpu: 100m
+        memory: 128Mi
   identitySchemas:
     "identity.default.schema.json": |
       {
@@ -206,6 +213,12 @@ deployment:
       ory.sh/pod_label: kratos
     annotations:
       ory.sh/pod_annotation: kratos
+  initContainerSecurityContext:
+    capabilities:
+      drop:
+        - ALL
+    podSecurityContext:
+      runAsNonRoot: false
   extraEnv:
     - name: FOO
       value: BAR
@@ -275,6 +288,12 @@ watcher:
       ory.sh/pod_label: kratos_watcher
     annotations:
       ory.sh/pod_annotation: kratos_watcher
+  securityContext:
+    capabilities:
+      drop:
+        - ALL
+  podSecurityContext:
+    runAsNonRoot: false
 
 cleanup:
   enabled: true

helm/charts/kratos/templates/deployment-kratos.yaml

@@ -85,6 +85,14 @@ spec:
           {{- if $migrationExtraEnv }}
             {{- toYaml $migrationExtraEnv | nindent 12 }}
           {{- end }}
+          {{- with .Values.kratos.automigration.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.deployment.initContainerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
       {{- end }}
       volumes:
         {{- if .Values.deployment.extraVolumes }}
@@ -212,7 +220,7 @@ spec:
             {{- toYaml .Values.deployment.readinessProbe | nindent 12 }}
           {{- end }}
           startupProbe:
-            {{- if .Values.deployment.customStartupProbe }} 
+            {{- if .Values.deployment.customStartupProbe }}
               {{- toYaml .Values.deployment.customStartupProbe | nindent 12 }}
             {{- else }}
             httpGet:
@@ -225,9 +233,9 @@ spec:
             {{- end }}
           resources:
             {{- toYaml .Values.deployment.resources | nindent 12 }}
-          {{- if .Values.securityContext }}
+          {{- with .Values.securityContext }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
           {{- end }}
         {{- if .Values.deployment.extraContainers }}
           {{- tpl .Values.deployment.extraContainers . | nindent 8 }}
@@ -248,6 +256,10 @@ spec:
       topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}
     {{- end }}
+    {{- with .Values.deployment.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
     {{- with .Values.deployment.dnsConfig }}
       dnsConfig:
         {{- toYaml . | nindent 8 }}

helm/charts/kratos/templates/job-migration.yaml

@@ -21,7 +21,7 @@ metadata:
     {{- end }}
 spec:
   template:
-    metadata: 
+    metadata:
       annotations:
         {{- with .Values.job.annotations }}
           {{- toYaml . | nindent 8 }}
@@ -68,6 +68,10 @@ spec:
           {{- if $migrationExtraEnv }}
             {{- toYaml $migrationExtraEnv | nindent 10 }}
           {{- end }}
+        {{- with .Values.kratos.automigration.resources }}
+        resources:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
       {{- if .Values.job.lifecycle }}
         lifecycle:
           {{- tpl .Values.job.lifecycle . | nindent 10 }}
@@ -91,6 +95,10 @@ spec:
         {{- tpl .Values.job.extraInitContainers . | nindent 8 }}
       {{- end }}
       restartPolicy: Never
+      {{- with .Values.deployment.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
         - name: {{ include "kratos.name" . }}-config-volume
           configMap:
@@ -108,4 +116,4 @@ spec:
       {{- end }}
       shareProcessNamespace: {{ .Values.job.shareProcessNamespace }}
   backoffLimit: {{ .Values.job.spec.backoffLimit }}
-{{- end }}
+{{- end }}

helm/charts/kratos/values.yaml

@@ -115,7 +115,7 @@ kratos:
     enabled: false
     # -- Configure the way to execute database migration. Possible values: job, initContainer
     # When set to job, the migration will be executed as a job on release or upgrade.
-    # When set to initContainer, the migration will be executed when kratos pod is created
+    # When set to initContainer, the migration will be executed when Kratos pod is created
     # Defaults to job
     type: job
     # -- Ability to override the entrypoint of the automigration container
@@ -126,6 +126,8 @@ kratos:
     # - sleep 5;
     #   - kratos
     customArgs: []
+    # -- resource requests and limits for the automigration initcontainer
+    resources: {}
 
   # -- You can add multiple identity schemas here. You can pass JSON schema using `--set-file` Helm CLI argument.
   identitySchemas: {}
@@ -141,7 +143,7 @@ kratos:
   #  "identity.phone.schema.json": |
   #    {{ .Values.phone_schema }}
 
-  # -- You can customize the emails kratos is sending (also uncomment config.courier.template_override_path below)
+  # -- You can customize the emails Kratos is sending (also uncomment config.courier.template_override_path below)
   emailTemplates: {}
   # emailTemplates:
   #   recovery:
@@ -187,6 +189,25 @@ kratos:
 
 # -- Configuration options for the k8s deployment
 deployment:
+  ## -- initContainer securityContext for Kratos & migration init
+  initContainerSecurityContext: {}
+
+  ## -- pod securityContext for Kratos & migration init
+  podSecurityContext: {}
+
+  ## -- container securityContext for Kratos & migration init
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    privileged: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 100
+    seccompProfile:
+      type: RuntimeDefault
+
   lifecycle: {}
   # -- Configure the livenessProbe parameters
   livenessProbe:
@@ -499,6 +520,9 @@ job:
   # lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'.
   #   foo: bar
 
+  # -- resource requests and limits for the job
+  resources: {}
+
   # -- Configure node tolerations.
   tolerations: []
 
@@ -516,9 +540,9 @@ job:
   shareProcessNamespace: false
 
   # -- Specify the serviceAccountName value.
-  # In some situations it is needed to provides specific permissions to Hydra deployments
-  # Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
-  # Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
+  # In some situations it is needed to provide specific permissions to Kratos deployments
+  # Like for example installing Kratos on a cluster with a PosSecurityPolicy and Istio.
+  # Uncomment if it is needed to provide a ServiceAccount for the Kratos deployment.
   serviceAccount:
     # -- Specifies whether a service account should be created
     create: true
@@ -608,14 +632,14 @@ cronjob:
 
     # -- Configure the containers' SecurityContext for the cleanup cronjob
     securityContext:
+      allowPrivilegeEscalation: false
       capabilities:
         drop:
           - ALL
+      privileged: false
       readOnlyRootFilesystem: true
       runAsNonRoot: true
       runAsUser: 100
-      allowPrivilegeEscalation: false
-      privileged: false
       seccompProfile:
         type: RuntimeDefault
 
@@ -653,7 +677,7 @@ serviceMonitor:
   scrapeInterval: 60s
   # -- Timeout after which the scrape is ended
   scrapeTimeout: 30s
-  # -- Provide additionnal labels to the ServiceMonitor ressource metadata
+  # -- Provide additional labels to the ServiceMonitor ressource metadata
   labels: {}
   # -- TLS configuration to use when scraping the endpoint
   tlsConfig: {}