feat(helm): add podSecurityContext and podAnnotations to crdHook Job#2009
Merged
Slach merged 1 commit intoJun 17, 2026
Merged
Conversation
The crd-install Job pod template currently exposes only container-level
securityContext via `crdHook.containerSecurityContext`. This blocks two
real-world deployments:
- Kyverno `restrict-seccomp-strict` rejects the Job because the pod has
no pod-level `seccompProfile`.
- Istio sidecar auto-injection adds an `istio-init` initContainer that
lacks `seccompProfile`, again tripping the same policy. The standard
opt-out (`sidecar.istio.io/inject: "false"`) requires a pod-template
annotation, which the chart had no way to set.
Add two new value keys:
- `crdHook.podSecurityContext` -> `spec.template.spec.securityContext`
- `crdHook.podAnnotations` -> `spec.template.metadata.annotations`
Both default to `{}` and render under `{{- with }}`, so the rendered
output is byte-identical when unset. Same pattern already used for
`imagePullSecrets`, `nodeSelector`, `affinity`, `tolerations`,
`containerSecurityContext`.
Also wires the new keys into `values.schema.json` and the README values
table.
Signed-off-by: Quentin Levasseur (Genetec) <qlevasseur@genetec.com>
Slach
approved these changes
Jun 17, 2026
Slach
approved these changes
Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #1950, which added
crdHook.containerSecurityContext.Summary
The
crd-installHelm hook Job currently exposes only container-levelsecurityContext. There is no way to set pod-levelsecurityContextnor pod-template annotations. This blocks two real-world deployments:restrict-seccomp-strictrejects the Job because the pod spec lacks a pod-levelseccompProfile. Container-level seccomp is not sufficient under the strict variant of this policy. https://kyverno.io/policies/pod-security/restricted/restrict-seccomp-strict/istio-initinitContainer at admission time. That initContainer has noseccompProfile, again tripping Kyverno strict. The canonical opt-out is the pod-template annotationsidecar.istio.io/inject: "false", but the chart had no field to set it.This PR adds two new value keys:
crdHook.podSecurityContextspec.template.spec.securityContextcrdHook.podAnnotationsspec.template.metadata.annotationsBoth default to
{}and render under{{- with }}, so the output is byte-identical when unset.Changes
templates/hooks/crd-install-job.yaml— render the two new blocksvalues.yaml— documented undercrdHook:with commented-out examplesvalues.schema.json— declared both astype: objectREADME.md— two new rows in the values tableBackward compatibility
Defaults unchanged. With no overrides, the rendered Job is identical to the pre-PR chart (verified via
diffofhelm templateoutput).