diff --git a/charts/sourcegraph-executor/k8s/README.md b/charts/sourcegraph-executor/k8s/README.md index 839b2dd7..b91c5e71 100644 --- a/charts/sourcegraph-executor/k8s/README.md +++ b/charts/sourcegraph-executor/k8s/README.md @@ -89,6 +89,7 @@ In addition to the documented values, the `executor` and `private-docker-registr | executor.queueName | string | `""` | The name of the queue to pull jobs from to. Possible values: batches and codeintel. **Either this or queueNames is required.** | | executor.queueNames | list | `[]` | The names of multiple queues to pull jobs from to. Possible values: batches and codeintel. **Either this or queueName is required.** | | executor.replicas | int | `1` | | +| executor.securityContext | object | `{"fsGroup":null,"privileged":false,"runAsGroup":null,"runAsUser":null}` | The containerSecurityContext for the executor image | | executor.storageSize | string | `"10Gi"` | The storage size of the PVC attached to the executor deployment. | | executor.tolerations | list | `[]` | Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | sourcegraph.affinity | object | `{}` | Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) | diff --git a/charts/sourcegraph-executor/k8s/templates/executor.Deployment.yaml b/charts/sourcegraph-executor/k8s/templates/executor.Deployment.yaml index a755dd08..c4546d8a 100644 --- a/charts/sourcegraph-executor/k8s/templates/executor.Deployment.yaml +++ b/charts/sourcegraph-executor/k8s/templates/executor.Deployment.yaml @@ -44,12 +44,16 @@ spec: {{- include "executor.labels" . | nindent 8 }} spec: securityContext: - fsGroup: {{ .Values.executor.kubernetesJob.fsGroup }} + fsGroup: {{ .Values.executor.securityContext.fsGroup }} + runAsUser: {{ .Values.executor.securityContext.runAsUser }} + runAsGroup: {{ .Values.executor.securityContext.runAsGroup }} serviceAccountName: sg-executor containers: - name: executor image: {{ include "sourcegraph.image" (list . "executor") }} imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }} + securityContext: + privileged: {{ .Values.executor.securityContext.privileged }} ports: - containerPort: 6060 name: debug diff --git a/charts/sourcegraph-executor/k8s/values.yaml b/charts/sourcegraph-executor/k8s/values.yaml index ac25eaa4..ea4e5ed5 100644 --- a/charts/sourcegraph-executor/k8s/values.yaml +++ b/charts/sourcegraph-executor/k8s/values.yaml @@ -90,6 +90,16 @@ executor: namespace: "default" # -- The path to the kubeconfig file. If not specified, the in-cluster config is used. kubeconfigPath: "" + # -- The containerSecurityContext for the executor image + securityContext: + # @default -- nil; accepts [0, 2147483647] + runAsUser: + # @default -- nil; accepts [0, 2147483647] + runAsGroup: + # @default -- nil; accepts [0, 2147483647] + fsGroup: + # @default -- false; accepts [true, false] + privileged: false kubernetesJob: # -- The number of seconds after which a Kubernetes job will be terminated.