fix(agents): add podSecurityContext and securityContext to all agent charts#1977
Open
QuentinBisson wants to merge 3 commits into
Open
fix(agents): add podSecurityContext and securityContext to all agent charts#1977QuentinBisson wants to merge 3 commits into
QuentinBisson wants to merge 3 commits into
Conversation
…charts
All declarative agent charts render Agent CRs without security context fields
in spec.declarative.deployment. The kagent controller therefore creates
Deployments that fail admission on clusters enforcing Kubernetes restricted
Pod Security Standards (e.g. via Kyverno or OPA).
Add podSecurityContext and securityContext values to each chart (defaulting
to empty, so existing deployments are unaffected) and wire them through the
template using {{- with }} so they are only emitted when set.
Signed-off-by: QuentinBisson <quentin@giantswarm.io>
QuentinBisson
force-pushed
the
fix/agent-charts-pod-security-context
branch
from
c11e44a to
a8b4b62
Compare
QuentinBisson
requested review from
EItanya,
ilackarms,
iplay88keys,
jmhbh,
supreme-gg-gg and
yuval-k
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds configurable pod/container security context options to multiple agent Helm charts so deployments can set Kubernetes security hardening settings via values.
Changes:
- Introduced
podSecurityContextandsecurityContextin agent chartvalues.yamlfiles. - Rendered those values into each agent manifest template under
spec.
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| helm/agents/promql/values.yaml | Adds security context value keys for the promql agent chart. |
| helm/agents/promql/templates/agent.yaml | Renders new security context values into the promql agent manifest. |
| helm/agents/observability/values.yaml | Adds security context value keys for the observability agent chart. |
| helm/agents/observability/templates/agent.yaml | Renders new security context values into the observability agent manifest. |
| helm/agents/kgateway/values.yaml | Adds security context value keys for the kgateway agent chart. |
| helm/agents/kgateway/templates/agent.yaml | Renders new security context values into the kgateway agent manifest. |
| helm/agents/k8s/values.yaml | Adds security context value keys for the k8s agent chart. |
| helm/agents/k8s/templates/agent.yaml | Renders new security context values into the k8s agent manifest. |
| helm/agents/istio/values.yaml | Adds security context value keys for the istio agent chart. |
| helm/agents/istio/templates/agent.yaml | Renders new security context values into the istio agent manifest. |
| helm/agents/helm/values.yaml | Adds security context value keys for the helm agent chart. |
| helm/agents/helm/templates/agent.yaml | Renders new security context values into the helm agent manifest. |
| helm/agents/cilium-policy/values.yaml | Adds security context value keys for the cilium-policy agent chart. |
| helm/agents/cilium-policy/templates/agent.yaml | Renders new security context values into the cilium-policy agent manifest. |
| helm/agents/cilium-manager/values.yaml | Adds security context value keys for the cilium-manager agent chart. |
| helm/agents/cilium-manager/templates/agent.yaml | Renders new security context values into the cilium-manager agent manifest. |
| helm/agents/cilium-debug/values.yaml | Adds security context value keys for the cilium-debug agent chart. |
| helm/agents/cilium-debug/templates/agent.yaml | Renders new security context values into the cilium-debug agent manifest. |
| helm/agents/argo-rollouts/values.yaml | Adds security context value keys for the argo-rollouts agent chart. |
| helm/agents/argo-rollouts/templates/agent.yaml | Renders new security context values into the argo-rollouts agent manifest. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+220
to
+227
| {{- with .Values.podSecurityContext }} | ||
| podSecurityContext: | ||
| {{- toYaml . | nindent 8 }} | ||
| {{- end }} | ||
| {{- with .Values.securityContext }} | ||
| securityContext: | ||
| {{- toYaml . | nindent 8 }} | ||
| {{- end }} |
Comment on lines
+220
to
+227
| {{- with .Values.podSecurityContext }} | ||
| podSecurityContext: | ||
| {{- toYaml . | nindent 8 }} | ||
| {{- end }} | ||
| {{- with .Values.securityContext }} | ||
| securityContext: | ||
| {{- toYaml . | nindent 8 }} | ||
| {{- end }} |
…omql template Signed-off-by: QuentinBisson <quentin@giantswarm.io>
Reduces each agent.yaml from 14 lines of repeated deployment boilerplate to a single include, and centralises imagePullSecrets, podSecurityContext, securityContext, and resources rendering in one place per chart. Signed-off-by: QuentinBisson <quentin@giantswarm.io>
QuentinBisson
force-pushed
the
fix/agent-charts-pod-security-context
branch
from
c2957b2 to
797e96c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds
podSecurityContextandsecurityContextvalues to all 10 declarative agent charts and wires them through tospec.declarative.deploymentin the rendered Agent CR.Why
All agent chart templates currently only render
imagePullSecretsandresourcesin thedeploymentsection. The kagent controller creates Deployments from those Agent CRs, and those Deployments lack the fields required by Kubernetes restricted Pod Security Standards:capabilities.drop: [ALL]allowPrivilegeEscalation: falserunAsNonRoot: trueseccompProfile.type: RuntimeDefaultOn clusters enforcing restricted PSS via Kyverno or OPA, all declarative agent Deployments are blocked at admission.
The Agent CRD v1alpha2 already supports
spec.declarative.deployment.podSecurityContextandspec.declarative.deployment.securityContext. The templates just weren't passing them through.Changes
Each of the 10 agent charts (
argo-rollouts,cilium-debug,cilium-manager,cilium-policy,helm,istio,k8s,kgateway,observability,promql) gets the same change:values.yaml(new defaults, empty so existing deployments are unaffected):templates/agent.yaml(render only when set):Usage
Callers can now pass the required fields: