From 3ffbdf93dad1baf8a3c9a58a92b8e44bb848cd1c Mon Sep 17 00:00:00 2001
From: Fares Oueslati <OuesFa@users.noreply.github.com>
Date: Fri, 23 Apr 2021 04:47:57 +0200
Subject: [PATCH] [cp-schema-registry] add support for security context (#525)

---
 charts/cp-schema-registry/README.md                 | 10 ++++++++++
 charts/cp-schema-registry/templates/deployment.yaml |  4 ++++
 charts/cp-schema-registry/values.yaml               |  8 ++++++++
 3 files changed, 22 insertions(+)

diff --git a/charts/cp-schema-registry/README.md b/charts/cp-schema-registry/README.md
index 41a5c490..7353bd37 100644
--- a/charts/cp-schema-registry/README.md
+++ b/charts/cp-schema-registry/README.md
@@ -139,6 +139,16 @@ The configuration parameters in this section control the resources requested and
 | --------- | ----------- | ------- |
 | `podAnnotations` | Map of custom annotations to attach to the pod spec. | `{}` |
 
+### Security Context
+
+| Parameter | Description | Default |
+| --------- | ----------- | ------- |
+| `securityContext.runAsUser` | All processes for the container will run with this user ID | 10001
+| `securityContext.runAsGroup` | All processes for the container will run with this primary group ID | 10001
+| `securityContext.fsGroup` | All processes for the container will run with this supplementary group ID | 10001
+| `securityContext.runAsNonRoot` | The kubelet will validate the image at runtime to make sure that it does not run as UID 0 (root) and won’t start the container if it does | true
+
+
 ### JMX Configuration
 
 | Parameter | Description | Default |
diff --git a/charts/cp-schema-registry/templates/deployment.yaml b/charts/cp-schema-registry/templates/deployment.yaml
index d8d74004..b94995f0 100644
--- a/charts/cp-schema-registry/templates/deployment.yaml
+++ b/charts/cp-schema-registry/templates/deployment.yaml
@@ -33,6 +33,10 @@ spec:
       {{- end }}
       {{- end }}
     spec:
+      securityContext:
+      {{- if .Values.securityContext }}
+{{ toYaml .Values.securityContext | indent 8 }}
+      {{- end}}
       containers:
         {{- if .Values.prometheus.jmx.enabled }}
         - name: prometheus-jmx-exporter
diff --git a/charts/cp-schema-registry/values.yaml b/charts/cp-schema-registry/values.yaml
index cdd93603..af303a60 100644
--- a/charts/cp-schema-registry/values.yaml
+++ b/charts/cp-schema-registry/values.yaml
@@ -69,6 +69,14 @@ tolerations: []
 ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
 affinity: {}
 
+## Privilege and access control settings for a Pod or Container
+## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+securityContext:
+  runAsUser: 10001
+  runAsGroup: 10001
+  fsGroup: 10001
+  runAsNonRoot: true
+
 ## Monitoring
 ## Schema Registry JMX Settings
 ## ref: https://docs.confluent.io/current/schema-registry/docs/monitoring.html