feat(chart): add security, scheduling, and network policy support#912
Open
bl4ko wants to merge 1 commit intomauriceboe:devfrom
Open
feat(chart): add security, scheduling, and network policy support#912bl4ko wants to merge 1 commit intomauriceboe:devfrom
bl4ko wants to merge 1 commit intomauriceboe:devfrom
Conversation
github-actions
Bot
added
the
wrong-base-branch
Contributor
Wrong target branchThis PR targets To fix this, click Edit next to the PR title and change the base branch to This PR will be automatically closed in 24 hours if the base branch has not been updated.
|
bl4ko
force-pushed
the
feat/chart-security-labels
branch
from
12f028d to
8bc2058
Compare
github-actions
Bot
removed
the
wrong-base-branch
Add configurable Kubernetes best-practice fields to the Helm chart: Security: - podSecurityContext (default: fsGroup: 1000) - securityContext for container (default: empty) - Standard app.kubernetes.io/* labels on all resources Scheduling: - priorityClassName - nodeSelector - tolerations - affinity Networking: - NetworkPolicy (disabled by default, allows port 3000 when enabled) All fields default to empty/disabled — no behavioral change for existing installations. Deployment selector.matchLabels unchanged to avoid breaking rolling updates.
bl4ko
force-pushed
the
feat/chart-security-labels
branch
from
8bc2058 to
09bb89d
Compare
bl4ko
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds configurable Kubernetes best-practice fields to the Helm chart:
Security:
podSecurityContext— pod-level security context (default:fsGroup: 1000)securityContext— container-level security context (default:{})app.kubernetes.io/*labels on all resources via_helpers.tplScheduling:
priorityClassNamenodeSelectortolerationsaffinityNetworking:
networkPolicy.enabled— optional NetworkPolicy (disabled by default, allows port 3000 when enabled)ingressandegressrulesMotivation
Clusters with policy engines (Kyverno, OPA/Gatekeeper) or PodSecurity Standards enforcement flag the chart for:
securityContextapp.kubernetes.io/namelabelpriorityClassNamesupportAdditionally,
nodeSelector,tolerations, andaffinityare standard Helm chart fields that users expect for scheduling control.Container image compatibility note
The default entrypoint runs
chownas root before dropping to usernode(UID 1000) viasu-exec. SettingrunAsNonRoot: truewill prevent the container from starting unless the entrypoint is changed.Compatible subset for policy compliance:
Test plan
helm lintpasseshelm templateoutput — only new labels added, no behavioral changenodeSelector,tolerations,affinityrender correctlypriorityClassNamerenders when set, omitted when emptyrunAsNonRootincompatibility