feat: add security configuration options to helm chart

chart/helm3/sops-secrets-operator/README.md

@@ -156,11 +156,15 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | resources | object | `{}` | Operator container resources |
 | secretsAsEnvVars | list | `[]` | configure custom secrets to be used as environment variables at runtime, see values.yaml |
 | secretsAsFiles | list | `[]` | configure custom secrets to be mounted at runtime, see values.yaml |
+| securityContext.container | object | `{"capabilities":{"add":["NET_BIND_SERVICE"],"drop":["all"]}}` | container/initContainer |
+| securityContext.container.capabilities | object | `{"add":["NET_BIND_SERVICE"],"drop":["all"]}` | capabilities |
 | securityContext.enabled | bool | `false` | Enable securityContext |
 | securityContext.fsGroup | int | `13001` | fs group |
 | securityContext.runAsGroup | int | `13001` | GID to run as |
 | securityContext.runAsNonRoot | bool | `true` | Enable kubelet validation for using root user to run container |
 | securityContext.runAsUser | int | `13001` | UID to run as |
+| securityContext.seccompProfileName | string | `""` | if seccompProfile.type is set to Localhost, set localhostProfile to value of seccompProfileName (user must specify value) |
+| securityContext.seccompProfileType | string | `"RuntimeDefault"` | seccompProfile.type |
 | serviceAccount.annotations | object | `{}` | Annotations to be added to the service account |
 | tolerations | list | `[]` | Tolerations to be applied to operator pod |
 

chart/helm3/sops-secrets-operator/templates/operator.yaml

@@ -34,6 +34,12 @@ spec:
           image: "{{ .Values.initImage.repository }}:{{ .Values.initImage.tag }}"
           imagePullPolicy: {{ .Values.initImage.pullPolicy }}
           command: ['/bin/sh', '-c', 'cp -Lr /var/secrets/gpg-secrets/* /var/secrets/gpg/']
+          {{- if .Values.securityContext.enabled }}
+          securityContext:
+            capabilities:
+              drop: {{ .Values.securityContext.container.capabilities.drop }}
+              add: {{ .Values.securityContext.container.capabilities.add }}
+          {{- end }}
           volumeMounts:
           - mountPath: /var/secrets/gpg
             name: sops-gpg
@@ -46,6 +52,12 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.securityContext.enabled }}
+          securityContext:
+            capabilities:
+              drop: {{ .Values.securityContext.container.capabilities.drop }}
+              add: {{ .Values.securityContext.container.capabilities.add }}
+          {{- end }}
           {{- if or .Values.gcp.enabled .Values.gpg.enabled .Values.secretsAsFiles }}
           volumeMounts:
           {{- end }}
@@ -181,6 +193,11 @@ spec:
         runAsGroup: {{ .Values.securityContext.runAsGroup }}
         fsGroup: {{ .Values.securityContext.fsGroup }}
         runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
+        seccompProfile:
+          type: {{ .Values.securityContext.seccompProfileType }}
+          {{- if  eq .Values.securityContext.seccompProfileType "Localhost" }}
+          localhostProfile: {{ .Values.securityContext.seccompProfileName }}
+          {{- end }}
       {{- end }}
       {{- with .Values.affinity }}
       affinity:

chart/helm3/sops-secrets-operator/values.yaml

@@ -158,6 +158,18 @@ securityContext:
   runAsNonRoot: true
   # -- fs group
   fsGroup: 13001
+  # -- seccompProfile.type
+  seccompProfileType: RuntimeDefault
+  # -- if seccompProfile.type is set to Localhost, set localhostProfile to value of seccompProfileName (user must specify value)
+  seccompProfileName: ""
+  # -- container/initContainer
+  container:
+    # -- capabilities
+    capabilities:
+      drop:
+        - all
+      add:
+        - NET_BIND_SERVICE
 
 # -- Tolerations to be applied to operator pod
 tolerations: []