CLOUDP-323936 - re-add securityContext settings to HelmCharts (#500)

MaciejKaras · viveksinghggits · web-flow · commit 57f6afc6947e · 2025-10-16T11:25:32.000+02:00
# Summary This PR re-introduces missing `securityContext` and `podSecurityContext` operator values that were previously available for MCO operator. Resolves #168 ## Proof of Work Passing new `operator_security_context_test` helmchart test. ## Checklist - [x] Have you linked a jira ticket and/or is the ticket in the title? - [x] Have you checked whether your jira ticket required DOCSP changes? - [x] https://jira.mongodb.org/browse/DOCSP-54487 - [x] Have you added changelog file? - use `skip-changelog` label if not needed - refer to [Changelog files and Release Notes](https://github.com/mongodb/mongodb-kubernetes/blob/master/CONTRIBUTING.md#changelog-files-and-release-notes) section in CONTRIBUTING.md for more details --------- Co-authored-by: Vivek Singh <vsingh.ggits.2010@gmail.com>
diff --git a/changelog/20251007_feature_reintroduce_securitycontext_operator_setting_in.md b/changelog/20251007_feature_reintroduce_securitycontext_operator_setting_in.md
@@ -0,0 +1,6 @@
+---
+kind: feature
+date: 2025-10-07
+---
+
+* **Helm Chart**: Introduced two new helm fields `operator.podSecurityContext` and `operator.securityContext` that can be used to configure `securityContext` for Operator deployment through Helm Chart. 
diff --git a/helm_chart/templates/operator.yaml b/helm_chart/templates/operator.yaml
@@ -32,11 +32,10 @@ spec:
 {{- end }}
     spec:
       serviceAccountName: {{ .Values.operator.name }}
-{{- if not .Values.managedSecurityContext }}
+      {{- if and (not .Values.managedSecurityContext) .Values.operator.podSecurityContext }}
       securityContext:
-        runAsNonRoot: true
-        runAsUser: 2000
-{{- end }}
+        {{- toYaml .Values.operator.podSecurityContext | nindent 8 }}
+      {{- end }}
 {{- if .Values.registry.imagePullSecrets}}
       imagePullSecrets:
         - name: {{ .Values.registry.imagePullSecrets }}
@@ -74,6 +73,10 @@ spec:
             requests:
               cpu: {{ .Values.operator.resources.requests.cpu }}
               memory: {{ .Values.operator.resources.requests.memory }}
+          {{- if and (not .Values.managedSecurityContext) .Values.operator.securityContext }}
+          securityContext:
+            {{- toYaml .Values.operator.securityContext | nindent 12 }}
+          {{- end }}
           env:
             - name: OPERATOR_ENV
               value: {{ .Values.operator.env }}
diff --git a/helm_chart/tests/operator_security_context_test.yaml b/helm_chart/tests/operator_security_context_test.yaml
@@ -0,0 +1,142 @@
+suite: test operator security context settings for values.yaml
+templates:
+  - operator.yaml
+tests:
+  - it: default values are properly set
+    asserts:
+      - exists:
+          path: spec.template.spec.securityContext
+      - equal:
+          path: spec.template.spec.securityContext.runAsNonRoot
+          value: true
+      - equal:
+          path: spec.template.spec.securityContext.runAsUser
+          # noinspection YAMLIncompatibleTypes
+          value: 2000
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext
+  - it: drop podSecurityContext and securityContext completely
+    set:
+      operator.podSecurityContext:
+      operator.securityContext:
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext
+  - it: drop podSecurityContext and securityContext completely when managedSecurityContext is true
+    set:
+      managedSecurityContext: true
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext
+  - it: custom values are properly set
+    set:
+      operator.podSecurityContext.runAsNonRoot: false
+      operator.podSecurityContext.seccompProfile.type: RuntimeDefault
+      operator.securityContext.allowPrivilegeEscalation: false
+      operator.securityContext.capabilities.drop: [ALL]
+    asserts:
+      - exists:
+          path: spec.template.spec.securityContext
+      - equal:
+          path: spec.template.spec.securityContext.runAsNonRoot
+          value: false
+      - equal:
+          path: spec.template.spec.securityContext.seccompProfile.type
+          # noinspection YAMLIncompatibleTypes
+          value: RuntimeDefault
+      - equal:
+          path: spec.template.spec.securityContext.runAsUser
+          # noinspection YAMLIncompatibleTypes
+          value: 2000
+      - exists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext
+      - equal:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext.allowPrivilegeEscalation
+          value: false
+      - equal:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext.capabilities.drop
+          value: [ALL]
+  - it: default values are properly set when managedSecurityContext is true for openShift
+    values:
+      - ../values-openshift.yaml
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].securityContext
+      - exists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].env[?(@.name=="MANAGED_SECURITY_CONTEXT")]
+      - equal:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator")].env[?(@.name=="MANAGED_SECURITY_CONTEXT")].value
+          # noinspection YAMLIncompatibleTypes
+          value: "true"
+  - it: default values are properly set for multi-cluster deployment
+    values:
+      - ../values-multi-cluster.yaml
+    asserts:
+      - exists:
+          path: spec.template.spec.securityContext
+      - equal:
+          path: spec.template.spec.securityContext.runAsNonRoot
+          value: true
+      - equal:
+          path: spec.template.spec.securityContext.runAsUser
+          # noinspection YAMLIncompatibleTypes
+          value: 2000
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext
+  - it: drop podSecurityContext and securityContext completely for multi-cluster deployment
+    values:
+      - ../values-multi-cluster.yaml
+    set:
+      operator.podSecurityContext:
+      operator.securityContext:
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext
+  - it: drop podSecurityContext and securityContext completely when managedSecurityContext is true for multi-cluster deployment
+    values:
+      - ../values-multi-cluster.yaml
+    set:
+      managedSecurityContext: true
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext
+  - it: custom values are properly set for multi-cluster deployment
+    values:
+      - ../values-multi-cluster.yaml
+    set:
+      operator.podSecurityContext.runAsNonRoot: false
+      operator.podSecurityContext.seccompProfile.type: RuntimeDefault
+      operator.securityContext.allowPrivilegeEscalation: false
+      operator.securityContext.capabilities.drop: [ ALL ]
+    asserts:
+      - exists:
+          path: spec.template.spec.securityContext
+      - equal:
+          path: spec.template.spec.securityContext.runAsNonRoot
+          value: false
+      - equal:
+          path: spec.template.spec.securityContext.seccompProfile.type
+          # noinspection YAMLIncompatibleTypes
+          value: RuntimeDefault
+      - equal:
+          path: spec.template.spec.securityContext.runAsUser
+          # noinspection YAMLIncompatibleTypes
+          value: 2000
+      - exists:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext
+      - equal:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext.allowPrivilegeEscalation
+          value: false
+      - equal:
+          path: spec.template.spec.containers[?(@.name=="mongodb-kubernetes-operator-multi-cluster")].securityContext.capabilities.drop
+          value: [ ALL ]
diff --git a/helm_chart/values.yaml b/helm_chart/values.yaml
@@ -47,6 +47,12 @@ operator:
       cpu: 1100m
       memory: 1Gi
 
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 2000
+
+  securityContext: {}
+
   # Control how many reconciles can be performed in parallel.
   # It sets MaxConcurrentReconciles https://pkg.go.dev/github.com/kubernetes-sigs/controller-runtime/pkg/controller#Options).
   # Increasing the number of concurrent reconciles will decrease the time needed to reconcile all watched resources.
