Merge pull request #72 from dmitrii-didenko/cadvisor-security-context

Added security context to work with oom events

charts/cadvisor/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 description: A chart for a Cadvisor deployment
 name: cadvisor
-version: 1.2.4
+version: 1.3.0
 appVersion: 0.39.2
 home: https://github.com/google/cadvisor
 sources:

charts/cadvisor/README.md

@@ -59,6 +59,8 @@ The following table lists the configurable parameters of the cAdvisor chart and
 | `podAnnotations`               | annotations for the daemonset pods               | `{}`                       |
 | `podSecurityPolicy.create`     | create a own PodSecurityPolicy for the pod       | `false`                    |
 | `podSecurityPolicy.privileged` | create the PodSecurityPolicy as privileged       | `false`                    |
+| `podSecurityContext.create`    | create the podSecurityContext in container spec  | `false`                    |
+| `podSecurityContext.privileged`| set podSecurityContext privileged to true        | `false`                    |
 | `metrics.enabled`              | create ServiceMonitor CR for Prometheus operator | `false`                    |
 | `metrics.relabeling`           | add relabeling configuration to ServiceMonitor   | `[]`                       |
 

charts/cadvisor/templates/daemonset.yaml

@@ -48,6 +48,10 @@ spec:
           mountPath: {{ default .path .mount }}
           readOnly: true
         {{- end }}
+        {{ if .Values.podSecurityContext.create }}
+        securityContext:
+          privileged: {{ .Values.podSecurityContext.privileged }}
+        {{- end }}
         ports:
         - name: http
           containerPort: {{ .Values.container.port }}

charts/cadvisor/values.yaml

@@ -58,6 +58,11 @@ podSecurityPolicy:
   create: false
   privileged: false
 
+# Specifies whether a securityContext should be created. Required for privileged operations.
+podSecurityContext:
+  create: false
+  privileged: false
+
 nodeSelector: {}
 
 tolerations: []