fix(helm): security contexts for ebpf cleanup hook

deployments/charts/kuma/README.md

@@ -166,6 +166,9 @@ A Helm chart for the Kuma Control Plane
 | hooks.tolerations | list | `[]` | Tolerations for the HELM hooks |
 | hooks.podSecurityContext | object | `{"runAsNonRoot":true}` | Security context at the pod level for crd/webhook/ns |
 | hooks.containerSecurityContext | object | `{"readOnlyRootFilesystem":true}` | Security context at the container level for crd/webhook/ns |
+| hooks.ebpfCleanup | object | `{"containerSecurityContext":{"readOnlyRootFilesystem":false},"podSecurityContext":{"runAsNonRoot":false}}` | ebpf-cleanup hook needs write access to the root filesystem to clean ebpf programs |
+| hooks.ebpfCleanup.podSecurityContext | object | `{"runAsNonRoot":false}` | Security context at the pod level for crd/webhook/cleanup-ebpf |
+| hooks.ebpfCleanup.containerSecurityContext | object | `{"readOnlyRootFilesystem":false}` | Security context at the container level for crd/webhook/cleanup-ebpf |
 | experimental.gatewayAPI | bool | `false` | If true, it installs experimental Gateway API support |
 | experimental.ebpf.enabled | bool | `false` | If true, ebpf will be used instead of using iptables to install/configure transparent proxy |
 | experimental.ebpf.instanceIPEnvVarName | string | `"INSTANCE_IP"` | Name of the environmental variable which will contain the IP address of a pod |

deployments/charts/kuma/templates/post-delete-cleanup-ebpf-job.yaml

@@ -37,14 +37,14 @@ rules:
     resources:
       - pods
     verbs:
-      - watch 
+      - watch
       - delete
       - deletecollection
   - apiGroups: ["batch"]
     resources:
       - jobs
     verbs:
-      - watch 
+      - watch
       - create
       - delete
       - deletecollection
@@ -97,16 +97,16 @@ spec:
       {{ toYaml . | nindent 8 }}
       {{- end }}
       restartPolicy: OnFailure
-      {{- if .Values.hooks.podSecurityContext }}
+      {{- if .Values.hooks.ebpfCleanup.podSecurityContext }}
       securityContext:
-      {{ toYaml .Values.hooks.podSecurityContext | trim | nindent 8 }}
+      {{ toYaml .Values.hooks.ebpfCleanup.podSecurityContext | trim | nindent 8 }}
       {{- end }}
       containers:
         - name: post-delete-job
           image: {{ include "kuma.formatImage" (dict "image" .Values.dataPlane.initImage "root" $) | quote }}
-          {{- if .Values.hooks.containerSecurityContext }}
+          {{- if .Values.hooks.ebpfCleanup.containerSecurityContext }}
           securityContext:
-          {{ toYaml .Values.hooks.containerSecurityContext | trim | nindent 12 }}
+          {{ toYaml .Values.hooks.ebpfCleanup.containerSecurityContext | trim | nindent 12 }}
           {{- end }}
           resources:
              requests:

deployments/charts/kuma/values.yaml

@@ -664,6 +664,15 @@ hooks:
   containerSecurityContext:
     readOnlyRootFilesystem: true
 
+  # -- ebpf-cleanup hook needs write access to the root filesystem to clean ebpf programs
+  ebpfCleanup:
+    # -- Security context at the pod level for crd/webhook/cleanup-ebpf
+    podSecurityContext:
+      runAsNonRoot: false
+    # -- Security context at the container level for crd/webhook/cleanup-ebpf
+    containerSecurityContext:
+      readOnlyRootFilesystem: false
+
 experimental:
   # -- If true, it installs experimental Gateway API support
   gatewayAPI: false