add todo for seccont

library/common-test/tests/container_in_deployment/securityContext_test.yaml

@@ -63,6 +63,14 @@ tests:
             readOnlyRootFilesystem: true
             runAsNonRoot: true
 
+  - it: should fail with inherit key added in securityContext on main container
+    set:
+      securityContext:
+        inherit: true
+    asserts:
+      - failedTemplate:
+          errorMessage: <inherit> key is only available for additional/init/install/upgrade containers.
+
   - it: should fail with securityContext changed, runAsNonRoot true and runAsUser 0
     set:
       securityContext:

library/common/1.0.0/templates/lib/container/_securityContext.tpl

@@ -1,10 +1,25 @@
-init{{/* Security Context included by the container */}}
+{{/* Security Context included by the container */}}
 {{- define "ix.v1.common.container.securityContext" -}}
   {{- $secContext := .secCont -}}
   {{- $podSecContext := .podSecCont -}}
+  {{- $isMainContainer := .isMainContainer -}}
   {{- $root := .root -}}
 
+  {{/*
+  TODO: Modify podSecContext and securityContext.
+  Only applied on podSecContext values that can only be set there.
+  Everything else applied to secContext which has more weight and overrides podSec
+  */}}
+
   {{- $defaultSecCont := $root.Values.global.defaults.securityContext -}}
+
+  {{- if and (hasKey $secContext "inherit") $isMainContainer -}}
+    {{- fail "<inherit> key is only available for additional/init/install/upgrade containers." -}}
+  {{- end -}}
+  {{- if and $secContext.inherit (not $isMainContainer) -}} {{/* if inherit is set, use the secContext from main container as default */}}
+    {{- $defaultSecCont = $root.Values.securityContext -}}
+  {{- end -}} {{/* TODO: Unittests for inherit + normal securityContext */}}
+
   {{- $runAsNonRoot := $defaultSecCont.runAsNonRoot -}}
   {{- $readOnlyRootFilesystem := $defaultSecCont.readOnlyRootFilesystem -}}
   {{- $allowPrivilegeEscalation := $defaultSecCont.allowPrivilegeEscalation -}}
@@ -21,10 +36,6 @@ init{{/* Security Context included by the container */}}
     {{- end -}}
   {{- end -}}
 
-  {{- if $secContext.inheritMain -}} {{/* if inheritMain is set, use the secContext from main container as default */}}
-    {{- $defaultSecCont = $root.Values.securityContext -}}
-  {{- end -}} {{/* TODO: Unittests for inherit + normal securityContext */}}
-
   {{/* Override defaults based on user/dev input */}}
   {{- if and (hasKey $secContext "runAsNonRoot") (ne (toString $secContext.runAsNonRoot) (toString $runAsNonRoot)) -}}
     {{- $runAsNonRoot = $secContext.runAsNonRoot -}}

library/common/1.0.0/templates/lib/pod/_extraContainers.tpl

@@ -57,7 +57,7 @@
   lifecycle:
     {{- . | nindent 4 }}
   {{- end -}}
-  {{- with (include "ix.v1.common.container.securityContext" (dict "secCont" $container.securityContext "podSecCont" $root.Values.podSecurityContext "root" $root)) | trim }}
+  {{- with (include "ix.v1.common.container.securityContext" (dict "secCont" $container.securityContext "podSecCont" $root.Values.podSecurityContext "isMainContainer" false "root" $root)) | trim }}
   securityContext:
     {{- . | nindent 4 }}
   {{- end -}}

library/common/1.0.0/templates/lib/pod/_mainContainer.tpl

@@ -19,7 +19,7 @@ So it can work on multiple places, like additional containers and not only the m
   args:
     {{- . | nindent 4 }}
   {{- end -}}
-  {{- with (include "ix.v1.common.container.securityContext" (dict "secCont" .Values.securityContext "podSecCont" .Values.podSecurityContext "root" $)) | trim }}
+  {{- with (include "ix.v1.common.container.securityContext" (dict "secCont" .Values.securityContext "podSecCont" .Values.podSecurityContext "isMainContainer" true "root" $)) | trim }}
   securityContext:
     {{- . | nindent 4 }}
   {{- end -}}

library/common/1.0.0/templates/lib/pod/_podSecurityContext.tpl

@@ -1,4 +1,4 @@
-{{/* A dict podSecContext is expected with keys line runAsUser */}}
+{{/* A dict podSecContext is expected with keys like runAsUser */}}
 {{- define "ix.v1.common.container.podSecurityContext" -}}
   {{- $podSecCont := .podSecCont -}}
 runAsUser: {{ required "<runAsUser> value is required." $podSecCont.runAsUser }}