jupyterhub
Make Pod-level security context configurable in Helm chart
Proposed change
Security contexts can generally be set at the container level but not at the pod level. It would be nice to have this be configurable in the Helm chart
Alternative options
I've been using Helm post-renderers to work around this
Who would use this feature?
I'm trying to run Jupyter in a restricted namespace and some of the controls require securityContexts to explicitly set values at the pod level. I don't believe there is anything in zero-to-jupyterhub which actually needs to violate any of the restricted controls, so having these be configurable would allow Jupyter to run in restricted namespaces and provide more security guarantees
There are many pods associated with a few different kinds of workloads - for what workload are you looking to configure the Pods' securityContext?
Example workloads:
- hub
- proxy
- jupyter-username (user server pods)
hub, proxy and user-placeholder were the workloads which were being denied in restricted mode and didn't have their security contexts exposed, but the only additional config they needed was
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
which they still seem to work with. Overriding singleuser.profileList[*].pod_security_context was sufficient to get the named server pods working
Hi, I have similar issue. I want to set security Context for singleuser instance pods (eg: Selinuxoptions) and currently there is no way to configure this in the helm chart. Would be helpful to have the securityContext configurable for all the pods created by the helm chart rather than adding it through new policies/ exceptions in our cluster.
