Allow setting securityContext of hub/proxy/autohttps containers

jupyterhub · Jul 9, 2020 · 543515a · 543515a
1 parent 8024257
commit 543515a
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 4 deletions.
diff --git a/jupyterhub/templates/hub/deployment.yaml b/jupyterhub/templates/hub/deployment.yaml
@@ -132,8 +132,16 @@ spec:
           {{- with .Values.hub.image.pullPolicy }}
           imagePullPolicy: {{ . }}
           {{- end }}
+          {{- /* Below is deprecation logic of .Values.hub.uid */}}
+          {{- if .Values.hub.containerSecurityContext }}
+          {{- $securityContext := dict }}
+          {{- if hasKey .Values.hub "uid" }}
+          {{- $_ := merge $securityContext (dict "runAsUser" .Values.hub.uid) }}
+          {{- end }}
+          {{- $_ := merge $securityContext .Values.hub.containerSecurityContext }}
           securityContext:
-            {{- .Values.hub.containerSecurityContext | toYaml | trimSuffix "\n" | nindent 12 }}
+            {{- $_ | toYaml | trimSuffix "\n" | nindent 12 }}
+          {{- end }}
           env:
             - name: PYTHONUNBUFFERED
               value: "1"

diff --git a/jupyterhub/templates/proxy/autohttps/deployment.yaml b/jupyterhub/templates/proxy/autohttps/deployment.yaml
@@ -84,6 +84,10 @@ spec:
           env:
             {{- . | toYaml | trimSuffix "\n" | nindent 12 }}
           {{- end }}
+          {{- with .Values.proxy.traefik.containerSecurityContext }}
+          securityContext:
+            {{- . | toYaml | trimSuffix "\n" | nindent 12 }}
+          {{- end }}
           readinessProbe:
             tcpSocket:
               port: http

diff --git a/jupyterhub/templates/proxy/deployment.yaml b/jupyterhub/templates/proxy/deployment.yaml
@@ -84,9 +84,10 @@ spec:
           {{- end }}
           resources:
             {{- .Values.proxy.chp.resources | toYaml | trimSuffix "\n" | nindent 12 }}
+          {{- with .Values.proxy.containerSecurityContext }}
           securityContext:
-            # Don't allow any process to execute as root inside the container
-            allowPrivilegeEscalation: false
+            {{- . | toYaml | trimSuffix "\n" | nindent 12 }}
+          {{- end }}
           env:
             - name: CONFIGPROXY_AUTH_TOKEN
               valueFrom:

diff --git a/jupyterhub/values.yaml b/jupyterhub/values.yaml
@@ -56,7 +56,6 @@ hub:
       memory: 512Mi
   containerSecurityContext:
     runAsUser: 1000
-    # Don't allow any process to execute as root inside the container
     allowPrivilegeEscalation: false
   services: {}
   imagePullSecret:
@@ -130,6 +129,8 @@ proxy:
     ##     Error: Deployment.apps "proxy" is invalid: spec.strategy.rollingUpdate: Forbidden: may not be specified when strategy `type` is 'Recreate'
     ##     Error: UPGRADE FAILED: Deployment.apps "proxy" is invalid: spec.strategy.rollingUpdate: Forbidden: may not be specified when strategy `type` is 'Recreate'
     rollingUpdate:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
   service:
     type: LoadBalancer
     labels: {}
@@ -169,6 +170,8 @@ proxy:
     extraVolumeMounts: []
     extraStaticConfig: {}
     extraDynamicConfig: {}
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
   secretSync:
     image:
       name: jupyterhub/k8s-secret-sync