allow to override `securityContext`

[zarnovican]

Summary

Currenly the securityContext is hardcoded in the chart.

Use cases

When deploying this chart to a namespace that has pod-security.kubernetes.io/enforce = restricted label, the chart will fail with errors like

  Warning  FailedCreate  2m14s                replicaset-controller  Error creating: pods "onepassword-scim-bridge-test-op-scim-bridge-bfd8b577f-p4ssv" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "onepassword-scim-bridge-test-op-scim-bridge" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "onepassword-scim-bridge-test-op-scim-bridge" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "onepassword-scim-bridge-test-op-scim-bridge" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

To make it work, we would need to add more securityContext options to deployment (both at pod and container level).

Proposed solution

Introduce new helm chart options that default to the currently-hardcoded values. Let deployers to override/add more options as necessary.

Alternativelly, add the necessary security options to your chart as defaults.

Here is the set of options that would need to be added:

  template:
    spec:
      securityContext:
        fsGroup: 999
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: 1password-scim-bridge
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 999

(some might not be necessary)

Is there a workaround to accomplish this today?

• fork the repo
• maintain your own helm chart
• deploy it to a more permissive namespace