Bump version to 1.44.2 and add new security context template for PSS restricted mode (#95)

juev · web-flow · commit ddef2e568f3b · 2025-03-06T13:37:10.000+04:00
Signed-off-by: Evsyukov Denis &lt;denis.evsyukov@flant.com&gt;
diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
 type: library
 name: deckhouse_lib_helm
-version: 1.44.1
+version: 1.44.2
 description: "Helm utils template definitions for Deckhouse modules."
diff --git a/charts/helm_lib/README.md b/charts/helm_lib/README.md
@@ -64,6 +64,7 @@
 | [helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add](#helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add) |
 | [helm_lib_module_container_security_context_capabilities_drop_all_and_add](#helm_lib_module_container_security_context_capabilities_drop_all_and_add) |
 | [helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom](#helm_lib_module_container_security_context_capabilities_drop_all_and_run_as_user_custom) |
+| [helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted](#helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted) |
 | **Module Storage Class** |
 | [helm_lib_module_storage_class_annotations](#helm_lib_module_storage_class_annotations) |
 | **Monitoring Grafana Dashboards** |
@@ -733,6 +734,19 @@ list:
 -  User id 
 -  Group id 
 
+
+### helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted
+
+ returns SecurityContext parameters for Container with minimal required settings to comply with the Restricted mode of the Pod Security Standards 
+
+#### Usage
+
+`{{ include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
 ## Module Storage Class
 
 ### helm_lib_module_storage_class_annotations
diff --git a/charts/helm_lib/templates/_module_security_context.tpl b/charts/helm_lib/templates/_module_security_context.tpl
@@ -59,8 +59,8 @@ securityContext:
 securityContext:
   allowPrivilegeEscalation: false
   capabilities:
-  drop:
-  - all
+    drop:
+    - all
   runAsGroup: 64535
   runAsNonRoot: true
   runAsUser: 64535
@@ -197,3 +197,17 @@ securityContext:
     drop:
     - ALL
 {{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" . }} */ -}}
+{{- /* returns SecurityContext parameters for Container with minimal required settings to comply with the Restricted mode of the Pod Security Standards */ -}}
+{{- define "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_pss_restricted" -}}
+{{- /* Template context with .Values, .Chart, etc */ -}}
+securityContext:
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  seccompProfile:
+    type: RuntimeDefault
+{{- end }}
diff --git a/tests/tests/helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted_test.yaml b/tests/tests/helm_lib_module_container_security_context_run_as_user_deckhouse_pss_restricted_test.yaml
@@ -10,8 +10,8 @@ tests:
           value:
             allowPrivilegeEscalation: false
             capabilities:
-            drop:
-            - all
+              drop:
+              - all
             runAsGroup: 64535
             runAsNonRoot: true
             runAsUser: 64535
