Make Pod-level security context configurable in Helm chart

[wtripp180901]

Proposed change

Security contexts can generally be set at the container level but not at the pod level. It would be nice to have this be configurable in the Helm chart

Alternative options

I've been using Helm post-renderers to work around this

Who would use this feature?

I'm trying to run Jupyter in a restricted namespace and some of the controls require securityContexts to explicitly set values at the pod level. I don't believe there is anything in zero-to-jupyterhub which actually needs to violate any of the restricted controls, so having these be configurable would allow Jupyter to run in restricted namespaces and provide more security guarantees

[consideRatio]

There are many pods associated with a few different kinds of workloads - for what workload are you looking to configure the Pods' securityContext?

Example workloads:

• hub
• proxy
• jupyter-username (user server pods)

[wtripp180901]

hub, proxy and user-placeholder were the workloads which were being denied in restricted mode and didn't have their security contexts exposed, but the only additional config they needed was

spec:
  template:
    spec:
      securityContext:
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault

which they still seem to work with. Overriding singleuser.profileList[*].pod_security_context was sufficient to get the named server pods working

[radhupr]

Hi, I have similar issue.
I want to set security Context for singleuser instance pods (eg: Selinuxoptions) and currently there is no way to configure this in the helm chart. Would be helpful to have the securityContext configurable for all the pods created by the helm chart rather than adding it through new policies/ exceptions in our cluster.

[manics]

@radhupr Have you tried KubeSpawner.extra_pod_config?