feat: add pod and container securityContext support

chart/README.md

@@ -436,6 +436,12 @@ You should now be able to connect to the FusionAuth application at http://localh
             <td><code>{}</code></td>
             <td>Define labels for fusionauth Deployment.</td>
         </tr>
+        <tr>
+            <td><code>podSecurityContext</code></td>
+            <td>object</td>
+            <td><code>{}</code></td>
+            <td>Security context for the pod. Ref: <a href="https://kubernetes.io/docs/tasks/configure-pod-container/security-context/">Kubernetes docs</a>.</td>
+        </tr>
         <tr>
             <td><code>readinessProbe</code></td>
             <td>object</td>
@@ -485,6 +491,12 @@ You should now be able to connect to the FusionAuth application at http://localh
             <td><code>"http"</code></td>
             <td>Protocol to use when connecting to elasticsearch. Ignored when <code>search.engine</code> is NOT <code>elasticsearch</code>.</td>
         </tr>
+        <tr>
+            <td><code>securityContext</code></td>
+            <td>object</td>
+            <td><code>{}</code></td>
+            <td>Security context for the fusionauth container. Ref: <a href="https://kubernetes.io/docs/tasks/configure-pod-container/security-context/">Kubernetes docs</a>.</td>
+        </tr>
         <tr>
             <td><code>service.annotations</code></td>
             <td>object</td>

chart/templates/deployment.yaml

@@ -133,6 +133,10 @@ spec:
             {{- end }}
           resources:
               {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
 
           {{- if or .Values.kickstart.enabled .Values.extraVolumeMounts }}
           volumeMounts:
@@ -149,6 +153,10 @@ spec:
         {{- if .Values.extraContainers }}
         {{- toYaml .Values.extraContainers | nindent 8 }}
         {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- if .Values.dnsConfig }}
       dnsConfig:
       {{- toYaml .Values.dnsConfig |nindent 8 }}

chart/values.schema.json

@@ -207,6 +207,9 @@
         "nodeSelector": {
             "type": "object"
         },
+        "podSecurityContext": {
+            "type": "object"
+        },
         "podAnnotations": {
             "type": "object"
         },
@@ -246,6 +249,9 @@
         "resources": {
             "type": "object"
         },
+        "securityContext": {
+            "type": "object"
+        },
         "search": {
             "type": "object",
             "properties": {

chart/values.yaml

@@ -229,6 +229,19 @@ autoscaling:
   targetCPU: 50
   # targetMemory: 50
 
+# podSecurityContext -- Security context for the pod. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+podSecurityContext: {}
+  # runAsNonRoot: true
+  # seccompProfile:
+  #   type: RuntimeDefault
+
+# securityContext -- Security context for the fusionauth container. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+securityContext: {}
+  # allowPrivilegeEscalation: false
+  # capabilities:
+  #   drop:
+  #     - ALL
+
 # nodeSelector -- Define nodeSelector for kubernetes to use when scheduling fusionauth pods.
 nodeSelector: {}