Merge pull request #2113 from bosch-io/bugfix/pod-deletion-job-ctx-cfg-fix

alstanchev · web-flow · commit 84a70615cdad · 2025-02-06T17:02:15.000+02:00
privilage escalation and nonRootUser config for pod deletetion job
diff --git a/deployment/helm/ditto/Chart.yaml b/deployment/helm/ditto/Chart.yaml
@@ -16,7 +16,7 @@ description: |
   A digital twin is a virtual, cloud based, representation of his real world counterpart
   (real world “Things”, e.g. devices like sensors, smart heating, connected cars, smart grids, EV charging stations etc).
 type: application
-version: 3.6.10  # chart version is effectively set by release-job
+version: 3.6.11  # chart version is effectively set by release-job
 appVersion: 3.6.10
 keywords:
   - iot-chart
diff --git a/deployment/helm/ditto/templates/hooks/pod-deletion-cost-cron-job.yaml b/deployment/helm/ditto/templates/hooks/pod-deletion-cost-cron-job.yaml
@@ -48,6 +48,8 @@ spec:
               securityContext:
                 runAsUser: {{ .Values.global.podDeletionCostPatching.user }}
                 runAsGroup: {{  .Values.global.podDeletionCostPatching.group }}
+                allowPrivilegeEscalation: {{ .Values.global.podDeletionCostPatching.allowPrivilegeEscalation }}
+                runAsNonRoot: {{ .Values.global.podDeletionCostPatching.runAsNonRoot }}
               image: {{ printf "%s:%s" .Values.global.podDeletionCostPatching.image.repository ( default .Values.global.podDeletionCostPatching.image.tag "latest" ) }}
               imagePullPolicy: {{ .Values.global.podDeletionCostPatching.image.pullPolicy }}
               command:
diff --git a/deployment/helm/ditto/values.yaml b/deployment/helm/ditto/values.yaml
@@ -197,6 +197,10 @@ global:
     user: 1000
     # group defines the group to run the pod-deletion-cost annotation patching job as
     group: 1000
+    # runAsNonRoot defines whether the pod-deletion-cost annotation patching job should run as non-root
+    runAsNonRoot: true
+    # allowPrivilegeEscalation defines whether the pod-deletion-cost annotation patching job should allow privilege escalation
+    allowPrivilegeEscalation: false
     # enabled whether the pod-deletion-cost annotation patching should be enabled
     enabled: true
     # annotations defines k8s annotations to add to corresponding jobs
