Add support privileged sec context config

charts/operator-wandb/charts/app/values.yaml

@@ -47,6 +47,7 @@ container:
       drop: []
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: false
+    privileged: false
 
 common:
   labels: {}

charts/operator-wandb/charts/console/values.yaml

@@ -47,6 +47,7 @@ container:
       drop: []
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: false
+    privileged: false
 
 service:
   type: ClusterIP

charts/operator-wandb/charts/flat-run-fields-updater/values.yaml

@@ -43,6 +43,7 @@ container:
       drop: []
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: false
+    privileged: false
 
 common:
   labels: {}

charts/operator-wandb/charts/otel/charts/agent/values.yaml

@@ -49,6 +49,7 @@ container:
       drop: []
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: false
+    privileged: false
 
 clusterRole:
   annotations: {}

charts/operator-wandb/charts/stackdriver/templates/deployment.yaml

@@ -32,10 +32,14 @@ spec:
         {{- if .Values.pod.annotations -}}
         {{-   toYaml .Values.pod.annotations | nindent 8 }}
         {{- end }}
+      {{- include "wandb.nodeSelector" . | nindent 6 }}
+      {{- include "wandb.priorityClassName" . | nindent 6 }}
+      {{- include "wandb.podSecurityContext" .Values.pod.securityContext | nindent 6 }}
     spec:
       containers:
         - name: {{ .Chart.Name }}
           image:  "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          {{- include "wandb.containerSecurityContext" .Values.container.securityContext | nindent 10 }}
           command: ["stackdriver_exporter"]
           volumeMounts:
           {{- if or .Values.stackdriver.serviceAccountSecret .Values.stackdriver.serviceAccountKey }}
@@ -102,9 +106,6 @@ spec:
       tolerations:
         {{- toYaml .tolerations | nindent 8 }}
       {{- end }}
-      {{- include "wandb.nodeSelector" . | nindent 6 }}
-      {{- include "wandb.priorityClassName" . | nindent 6 }}
-      {{- include "wandb.podSecurityContext" .Values.pod.securityContext | nindent 6 }}
       volumes:
       {{- if .Values.stackdriver.serviceAccountSecret }}
         - name: stackdriver-service-account

charts/operator-wandb/charts/stackdriver/values.yaml

@@ -79,10 +79,26 @@ service:
   annotations: {}
 
 pod:
+  labels: {}
+  annotations: {}
   securityContext:
+    runAsNonRoot: true
+    runAsUser: 999
+    runAsGroup: 0
     fsGroup: 0
     fsGroupChangePolicy: "OnRootMismatch"
-  labels: {}
+    seccompProfile:
+      type: ""
+
+container:
+  securityContext:
+    capabilities:
+      add: []
+      drop: []
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: false
+    privileged: false
+
 
 deployment: {}
 

charts/operator-wandb/charts/weave-trace/values.yaml

@@ -44,6 +44,7 @@ container:
       drop: []
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: false
+    privileged: false
 
 resources:
   requests:

charts/operator-wandb/charts/weave/values.yaml

@@ -53,6 +53,7 @@ container:
       drop: []
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: false
+    privileged: false
 
 resources:
   # We usually recommend not to specify default resources and to leave this as a

charts/operator-wandb/charts/yace/values.yaml

@@ -111,6 +111,7 @@ container:
       drop: []
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: false
+    privileged: false
 
 
 deployment: {}

charts/operator-wandb/templates/_pods.tpl

@@ -72,6 +72,9 @@ securityContext:
   {{- if hasKey $csc "runAsGroup" }}
   runAsGroup: {{ $csc.runAsGroup }}
   {{- end }}
+  {{- if hasKey $csc "privileged" }}
+  privileged: {{ $csc.privileged }}
+  {{- end }}
 {{- end }}
 {{- end -}}