From a204985b173219c472fc8a2ac1737e4c3832c068 Mon Sep 17 00:00:00 2001
From: Release Bot <107104610+sourcegraph-release-bot@users.noreply.github.com>
Date: Wed, 19 Feb 2025 12:39:58 -0800
Subject: [PATCH] [Backport 6.1.x] feat: add runAsUser and runAsGroup to
 executor (#642)

The start of a resolution for
[REL-690](https://linear.app/sourcegraph/issue/REL-690/add-runasuser-runasgroup-fsgroup-to-executor-helm-chart).
Need to test this out to see how it works. There are sample overrides in
[this
thread](https://sourcegraph.slack.com/archives/C0418GDBT7S/p1738581012896529?thread_ts=1738580801.517539&amp;cid=C0418GDBT7S)

### Checklist

- [x] Follow the [manual testing
process](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/TEST.md)
- [ ] Update
[changelog](https://github.com/sourcegraph/deploy-sourcegraph-helm/blob/main/charts/sourcegraph/CHANGELOG.md)
- [ ] Update [Kubernetes update
doc](https://docs.sourcegraph.com/admin/updates/kubernetes)

### Test plan
Run the example overrides from the thread and see if the executor runs
and doesn&#39;t fail. In particular we want a _named_ user that is not
privileged.

 <br> Backport 45e5817a62d3608468cdac511e6da9a613f21542 from #632

Co-authored-by: Anish Lakhwara <anish+github@lakhwara.com>
---
 charts/sourcegraph-executor/k8s/README.md              |  1 +
 .../k8s/templates/executor.Deployment.yaml             |  6 +++++-
 charts/sourcegraph-executor/k8s/values.yaml            | 10 ++++++++++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/charts/sourcegraph-executor/k8s/README.md b/charts/sourcegraph-executor/k8s/README.md
index 839b2dd7..b91c5e71 100644
--- a/charts/sourcegraph-executor/k8s/README.md
+++ b/charts/sourcegraph-executor/k8s/README.md
@@ -89,6 +89,7 @@ In addition to the documented values, the `executor` and `private-docker-registr
 | executor.queueName | string | `""` | The name of the queue to pull jobs from to. Possible values: batches and codeintel. **Either this or queueNames is required.** |
 | executor.queueNames | list | `[]` | The names of multiple queues to pull jobs from to. Possible values: batches and codeintel. **Either this or queueName is required.** |
 | executor.replicas | int | `1` |  |
+| executor.securityContext | object | `{"fsGroup":null,"privileged":false,"runAsGroup":null,"runAsUser":null}` | The containerSecurityContext for the executor image |
 | executor.storageSize | string | `"10Gi"` | The storage size of the PVC attached to the executor deployment. |
 | executor.tolerations | list | `[]` | Tolerations, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
 | sourcegraph.affinity | object | `{}` | Affinity, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) |
diff --git a/charts/sourcegraph-executor/k8s/templates/executor.Deployment.yaml b/charts/sourcegraph-executor/k8s/templates/executor.Deployment.yaml
index a755dd08..c4546d8a 100644
--- a/charts/sourcegraph-executor/k8s/templates/executor.Deployment.yaml
+++ b/charts/sourcegraph-executor/k8s/templates/executor.Deployment.yaml
@@ -44,12 +44,16 @@ spec:
         {{- include "executor.labels" . | nindent 8 }}
     spec:
       securityContext:
-        fsGroup: {{ .Values.executor.kubernetesJob.fsGroup }}
+        fsGroup: {{ .Values.executor.securityContext.fsGroup }}
+        runAsUser: {{ .Values.executor.securityContext.runAsUser }}
+        runAsGroup: {{ .Values.executor.securityContext.runAsGroup }}
       serviceAccountName: sg-executor
       containers:
         - name: executor
           image: {{ include "sourcegraph.image" (list . "executor") }}
           imagePullPolicy: {{ .Values.sourcegraph.image.pullPolicy }}
+          securityContext:
+            privileged: {{ .Values.executor.securityContext.privileged }}
           ports:
             - containerPort: 6060
               name: debug
diff --git a/charts/sourcegraph-executor/k8s/values.yaml b/charts/sourcegraph-executor/k8s/values.yaml
index ac25eaa4..ea4e5ed5 100644
--- a/charts/sourcegraph-executor/k8s/values.yaml
+++ b/charts/sourcegraph-executor/k8s/values.yaml
@@ -90,6 +90,16 @@ executor:
   namespace: "default"
   # -- The path to the kubeconfig file. If not specified, the in-cluster config is used.
   kubeconfigPath: ""
+  # -- The containerSecurityContext for the executor image
+  securityContext:
+    # @default -- nil; accepts [0, 2147483647]
+    runAsUser: 
+    # @default -- nil; accepts [0, 2147483647]
+    runAsGroup: 
+    # @default -- nil; accepts [0, 2147483647]
+    fsGroup:
+    # @default -- false; accepts [true, false]
+    privileged: false
   
   kubernetesJob:
     # -- The number of seconds after which a Kubernetes job will be terminated.