fix: allow pre-upgrade job pods to honor global security context (#670)

dpacheconr · web-flow · commit 0a36fa7eae3d · 2025-11-18T10:43:49.000-08:00
* fix: allow pre-upgrade job pods to honor global security context

The pre-upgrade hook jobs (job-createSecret and job-patchWebhook) had hardcoded
pod-level security context values that did not use global settings, while the
main deployment already supports global pod/container security context.

This fix updates the job templates to use the same security context helper
as the deployment, enabling them to:
1. Honor global.podSecurityContext when provided (e.g., from nri-bundle)
2. Maintain backward compatibility with fallback values (runAsUser: 2000, runAsGroup: 2000)

Changes:
- Updated job-createSecret.yaml to use nri-metadata-injection.securityContext.pod helper
- Updated job-patchWebhook.yaml to use nri-metadata-injection.securityContext.pod helper
- Updated _helpers.tpl fallback values to maintain original behavior (runAsUser: 2000, runAsGroup: 2000)

This enables consistent security posture across all nri-metadata-injection components
and allows proper integration with nri-bundle's global security configuration.

* docs: add changelog entry for global security context support
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+### 🔒 Security
+- Allow pre-upgrade job pods to honor global security context settings @dpacheconr [#670](https://github.com/newrelic/k8s-metadata-injection/pull/670)
+
 ## v1.38.1 - 2025-10-20
 
 ### ⛓️ Dependencies
diff --git a/charts/nri-metadata-injection/templates/_helpers.tpl b/charts/nri-metadata-injection/templates/_helpers.tpl
@@ -6,8 +6,9 @@
 {{- include "newrelic.common.securityContext.pod" . -}}
 {{- else -}}
 fsGroup: 1001
-runAsUser: 1001
-runAsGroup: 1001
+runAsUser: 2000
+runAsGroup: 2000
+runAsNonRoot: true
 {{- end -}}
 {{- end -}}
 
diff --git a/charts/nri-metadata-injection/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/nri-metadata-injection/templates/admission-webhooks/job-patch/job-createSecret.yaml
@@ -51,10 +51,10 @@ spec:
       {{- end }}
       restartPolicy: OnFailure
       serviceAccountName: {{ include "nri-metadata-injection.fullname.admission.serviceAccount" . }}
+      {{- with include "nri-metadata-injection.securityContext.pod" . }}
       securityContext:
-        runAsGroup: 2000
-        runAsNonRoot: true
-        runAsUser: 2000
+        {{- . | nindent 8 }}
+      {{- end }}
       nodeSelector:
         kubernetes.io/os: linux
         {{ include "newrelic.common.nodeSelector" . | nindent 8 }}
diff --git a/charts/nri-metadata-injection/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/nri-metadata-injection/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -51,10 +51,10 @@ spec:
       {{- end }}
       restartPolicy: OnFailure
       serviceAccountName: {{ include "nri-metadata-injection.fullname.admission.serviceAccount" . }}
+      {{- with include "nri-metadata-injection.securityContext.pod" . }}
       securityContext:
-        runAsGroup: 2000
-        runAsNonRoot: true
-        runAsUser: 2000
+        {{- . | nindent 8 }}
+      {{- end }}
       nodeSelector:
         kubernetes.io/os: linux
         {{ include "newrelic.common.nodeSelector" . | nindent 8 }}
