Configurable Security Context for CronJobs (#705)

* Configurable Security Context for Snuba CronJobs Configurable Security Context is missing from both Snuba cleanup jobs (cleanup transactions and cleanup errors). It makes it impossible to run those jobs with `runAsNonRoot` - k8s cannot verify id of a named user. * Configurable Security Context for Sentry Cleanup It's necessary to run it in restrictive environment blocking pods running as root. Co-authored-by: Szymon Soloch <ssoloch@opera.com>
sentry-kubernetes · Oct 17, 2022 · 0a64d95 · 0a64d95
1 parent 086dea2
commit 0a64d95
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 1 deletion.
diff --git a/sentry/Chart.yaml b/sentry/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: sentry
 description: A Helm chart for Kubernetes
 type: application
-version: 16.0.4
+version: 16.0.5
 appVersion: 22.9.0
 dependencies:
   - name: memcached

diff --git a/sentry/templates/cronjob-sentry-cleanup.yaml b/sentry/templates/cronjob-sentry-cleanup.yaml
@@ -58,6 +58,10 @@ spec:
           imagePullSecrets:
 {{ toYaml .Values.images.sentry.imagePullSecrets | indent 12 }}
             {{- end }}
+            {{- if .Values.sentry.cleanup.securityContext }}
+          securityContext:
+{{ toYaml .Values.sentry.cleanup.securityContext | indent 12 }}
+      {{- end }}
           containers:
           - name: {{ .Chart.Name }}-sentry-cleanup
             image: "{{ template "sentry.image" . }}"

diff --git a/sentry/templates/cronjob-snuba-cleanup-errors.yaml b/sentry/templates/cronjob-snuba-cleanup-errors.yaml
@@ -57,6 +57,10 @@ spec:
           imagePullSecrets:
 {{ toYaml .Values.images.snuba.imagePullSecrets | indent 12 }}
             {{- end }}
+            {{- if .Values.snuba.cleanupErrors.securityContext }}
+          securityContext:
+{{ toYaml .Values.snuba.cleanupErrors.securityContext | indent 12 }}
+      {{- end }}
           containers:
           - name: {{ .Chart.Name }}-snuba-cleanup-errors
             image: "{{ template "snuba.image" . }}"

diff --git a/sentry/templates/cronjob-snuba-cleanup-transactions.yaml b/sentry/templates/cronjob-snuba-cleanup-transactions.yaml
@@ -57,6 +57,10 @@ spec:
           imagePullSecrets:
 {{ toYaml .Values.images.snuba.imagePullSecrets | indent 12 }}
             {{- end }}
+            {{- if .Values.snuba.cleanupTransactions.securityContext }}
+          securityContext:
+{{ toYaml .Values.snuba.cleanupTransactions.securityContext | indent 12 }}
+      {{- end }}
           containers:
           - name: {{ .Chart.Name }}-snuba-cleanup-errors
             image: "{{ template "snuba.image" . }}"

diff --git a/sentry/values.yaml b/sentry/values.yaml
@@ -230,6 +230,7 @@ sentry:
     enabled: true
     schedule: "0 0 * * *"
     days: 90
+    # securityContext: {}
     sidecars: []
     volumes: []
     serviceAccount: {}
@@ -424,6 +425,7 @@ snuba:
     schedule: "0 * * * *"
     sidecars: []
     volumes: []
+    # securityContext: {}
     serviceAccount: {}
 
   cleanupTransactions:
@@ -435,6 +437,7 @@ snuba:
     schedule: "0 * * * *"
     sidecars: []
     volumes: []
+    # securityContext: {}
     serviceAccount: {}
 
 hooks: