Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitfaac753

Browse files
authored
feat(helm): add pod-level securityContext support for certificate mounting (#19041)
**Add pod-level securityContext support to Coder Helm chart**Adds `coder.podSecurityContext` field to enable pod-level securitysettings, primarily to solve TLS certificate mounting permission issues.**Problem**: When mounting TLS certificates from Kubernetes secrets, theCoder process (UID 1000) cannot read the files due to restrictivepermissions.**Solution**: Setting `podSecurityContext.fsGroup: 1000` ensuresKubernetes sets group ownership of mounted volumes to GID 1000, allowingthe Coder process to read certificate files.**Changes**:- Added `podSecurityContext` field to values.yaml with documentation- Updated `_coder.yaml` template to include pod-level security context- Added test case and golden files- Maintains backward compatibility (opt-in feature)**Usage**:```yamlcoder: podSecurityContext: fsGroup: 1000 # Enables TLS cert access```Fixes#19038
1 parent72b8ab5 commitfaac753

File tree

6 files changed

+468
-0
lines changed

6 files changed

+468
-0
lines changed

‎helm/coder/tests/chart_test.go‎

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,10 @@ var testCases = []testCase{
125125
name:"partial_resources",
126126
expectedError:"",
127127
},
128+
{
129+
name:"pod_securitycontext",
130+
expectedError:"",
131+
},
128132
}
129133

130134
typetestCasestruct {
Lines changed: 208 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,208 @@
1+
---
2+
# Source: coder/templates/coder.yaml
3+
apiVersion: v1
4+
kind: ServiceAccount
5+
metadata:
6+
annotations: {}
7+
labels:
8+
app.kubernetes.io/instance: release-name
9+
app.kubernetes.io/managed-by: Helm
10+
app.kubernetes.io/name: coder
11+
app.kubernetes.io/part-of: coder
12+
app.kubernetes.io/version: 0.1.0
13+
helm.sh/chart: coder-0.1.0
14+
name: coder
15+
namespace: default
16+
---
17+
# Source: coder/templates/rbac.yaml
18+
apiVersion: rbac.authorization.k8s.io/v1
19+
kind: Role
20+
metadata:
21+
name: coder-workspace-perms
22+
namespace: default
23+
rules:
24+
- apiGroups: [""]
25+
resources: ["pods"]
26+
verbs:
27+
- create
28+
- delete
29+
- deletecollection
30+
- get
31+
- list
32+
- patch
33+
- update
34+
- watch
35+
- apiGroups: [""]
36+
resources: ["persistentvolumeclaims"]
37+
verbs:
38+
- create
39+
- delete
40+
- deletecollection
41+
- get
42+
- list
43+
- patch
44+
- update
45+
- watch
46+
- apiGroups:
47+
- apps
48+
resources:
49+
- deployments
50+
verbs:
51+
- create
52+
- delete
53+
- deletecollection
54+
- get
55+
- list
56+
- patch
57+
- update
58+
- watch
59+
---
60+
# Source: coder/templates/rbac.yaml
61+
apiVersion: rbac.authorization.k8s.io/v1
62+
kind: RoleBinding
63+
metadata:
64+
name: "coder"
65+
namespace: default
66+
subjects:
67+
- kind: ServiceAccount
68+
name: "coder"
69+
roleRef:
70+
apiGroup: rbac.authorization.k8s.io
71+
kind: Role
72+
name: coder-workspace-perms
73+
---
74+
# Source: coder/templates/service.yaml
75+
apiVersion: v1
76+
kind: Service
77+
metadata:
78+
name: coder
79+
namespace: default
80+
labels:
81+
helm.sh/chart: coder-0.1.0
82+
app.kubernetes.io/name: coder
83+
app.kubernetes.io/instance: release-name
84+
app.kubernetes.io/part-of: coder
85+
app.kubernetes.io/version: "0.1.0"
86+
app.kubernetes.io/managed-by: Helm
87+
annotations:
88+
{}
89+
spec:
90+
type: LoadBalancer
91+
sessionAffinity: None
92+
ports:
93+
- name: "http"
94+
port: 80
95+
targetPort: "http"
96+
protocol: TCP
97+
nodePort:
98+
externalTrafficPolicy: "Cluster"
99+
selector:
100+
app.kubernetes.io/name: coder
101+
app.kubernetes.io/instance: release-name
102+
---
103+
# Source: coder/templates/coder.yaml
104+
apiVersion: apps/v1
105+
kind: Deployment
106+
metadata:
107+
annotations: {}
108+
labels:
109+
app.kubernetes.io/instance: release-name
110+
app.kubernetes.io/managed-by: Helm
111+
app.kubernetes.io/name: coder
112+
app.kubernetes.io/part-of: coder
113+
app.kubernetes.io/version: 0.1.0
114+
helm.sh/chart: coder-0.1.0
115+
name: coder
116+
namespace: default
117+
spec:
118+
replicas: 1
119+
selector:
120+
matchLabels:
121+
app.kubernetes.io/instance: release-name
122+
app.kubernetes.io/name: coder
123+
template:
124+
metadata:
125+
annotations: {}
126+
labels:
127+
app.kubernetes.io/instance: release-name
128+
app.kubernetes.io/managed-by: Helm
129+
app.kubernetes.io/name: coder
130+
app.kubernetes.io/part-of: coder
131+
app.kubernetes.io/version: 0.1.0
132+
helm.sh/chart: coder-0.1.0
133+
spec:
134+
affinity:
135+
podAntiAffinity:
136+
preferredDuringSchedulingIgnoredDuringExecution:
137+
- podAffinityTerm:
138+
labelSelector:
139+
matchExpressions:
140+
- key: app.kubernetes.io/instance
141+
operator: In
142+
values:
143+
- coder
144+
topologyKey: kubernetes.io/hostname
145+
weight: 1
146+
containers:
147+
- args:
148+
- server
149+
command:
150+
- /opt/coder
151+
env:
152+
- name: CODER_HTTP_ADDRESS
153+
value: 0.0.0.0:8080
154+
- name: CODER_PROMETHEUS_ADDRESS
155+
value: 0.0.0.0:2112
156+
- name: CODER_ACCESS_URL
157+
value: http://coder.default.svc.cluster.local
158+
- name: KUBE_POD_IP
159+
valueFrom:
160+
fieldRef:
161+
fieldPath: status.podIP
162+
- name: CODER_DERP_SERVER_RELAY_URL
163+
value: http://$(KUBE_POD_IP):8080
164+
image: ghcr.io/coder/coder:latest
165+
imagePullPolicy: IfNotPresent
166+
lifecycle: {}
167+
livenessProbe:
168+
httpGet:
169+
path: /healthz
170+
port: http
171+
scheme: HTTP
172+
initialDelaySeconds: 0
173+
name: coder
174+
ports:
175+
- containerPort: 8080
176+
name: http
177+
protocol: TCP
178+
readinessProbe:
179+
httpGet:
180+
path: /healthz
181+
port: http
182+
scheme: HTTP
183+
initialDelaySeconds: 0
184+
resources:
185+
limits:
186+
cpu: 2000m
187+
memory: 4096Mi
188+
requests:
189+
cpu: 2000m
190+
memory: 4096Mi
191+
securityContext:
192+
allowPrivilegeEscalation: false
193+
readOnlyRootFilesystem: null
194+
runAsGroup: 1000
195+
runAsNonRoot: true
196+
runAsUser: 1000
197+
seccompProfile:
198+
type: RuntimeDefault
199+
volumeMounts: []
200+
restartPolicy: Always
201+
securityContext:
202+
fsgroup: 1000
203+
runAsGroup: 1000
204+
runAsNonRoot: true
205+
runAsUser: 1000
206+
serviceAccountName: coder
207+
terminationGracePeriodSeconds: 60
208+
volumes: []
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
coder:
2+
image:
3+
tag:latest
4+
podSecurityContext:
5+
fsgroup:1000
6+
runAsUser:1000
7+
runAsGroup:1000
8+
runAsNonRoot:true

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp