chore(helm): add podSecurityContext and containerSecurityContext values to controller chart (#753)

hrsh1209 · web-flow · commit b974d2e3fbb1 · 2026-06-03T01:59:47.000+05:30
* add security context param into helm to make sandbox compliant to k8s policies

* apply PR suggestion
diff --git a/helm/README.md b/helm/README.md
@@ -97,5 +97,7 @@ The following table lists the configurable parameters and their defaults.
 | `nodeSelector` | Node selector for the controller pod | `{}` |
 | `tolerations` | Tolerations for the controller pod | `[]` |
 | `affinity` | Affinity rules for the controller pod | `{}` |
+| `podSecurityContext` | Pod `securityContext`; only rendered when set (e.g. Kyverno / Pod Security) | `null` |
+| `containerSecurityContext` | Container `securityContext` for the controller; only rendered when set | `null` |
 | `podAnnotations` | Annotations added to the controller pod template (e.g. service-mesh sidecar toggles, Prometheus scrape autodiscovery) | `{}` |
 | `podLabels` | Extra labels added to the controller pod template alongside the chart's selector labels (selector labels take precedence on conflict) | `{}` |
diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml
@@ -21,6 +21,10 @@ spec:
       {{- end }}
     spec:
       serviceAccountName: agent-sandbox-controller
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
       - name: agent-sandbox-controller
         image: {{ include "agent-sandbox.image" . }}
@@ -50,6 +54,10 @@ spec:
         resources:
           {{- toYaml . | nindent 10 }}
         {{- end }}
+        {{- with .Values.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - name: config-volume
           mountPath: /etc/sandbox-config
diff --git a/helm/values.yaml b/helm/values.yaml
@@ -60,3 +60,23 @@ nodeSelector: {}
 tolerations: []
 
 affinity: {}
+
+# Pod-level securityContext (spec.template.spec.securityContext). Default null — omitted unless set.
+# Example for Kyverno / restricted Pod Security:
+# podSecurityContext:
+#   runAsNonRoot: true
+#   seccompProfile:
+#     type: RuntimeDefault
+podSecurityContext: null
+
+# Container-level securityContext for the controller. Default null — omitted unless set.
+# Example:
+# containerSecurityContext:
+#   allowPrivilegeEscalation: false
+#   capabilities:
+#     drop:
+#       - ALL
+#   runAsNonRoot: true
+#   seccompProfile:
+#     type: RuntimeDefault
+containerSecurityContext: null
