Canonical Juju

[wishlist] support for setting securityContext for pods on deployment

Bug #1931197 reported by Xav Paice on 2021-06-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Confirmed	Undecided	Unassigned

Bug Description

I wish to deploy an application that includes an ipsec client, using Strongswan, in a sidecar charm.

In order to have that run, I need the container to be a privileged one - this can be achieved using a podspec, e.g.

```
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vpn
  labels:
    app: vpn
spec:
  selector:
   matchLabels:
     app: vpn
  replicas: 1
  template:
    metadata:
     labels:
       app: vpn
    spec:
      containers:
      - name: ipsec
        image: xavpaice/ipsec-connector:0.1-edge
        imagePullPolicy: Always
        securityContext:
          privileged: true
        ports:
          - containerPort: 500
            hostPort: 500
            name: vpn-isakmp
            protocol: UDP
          - containerPort: 4500
            hostPort: 4500
            name: vpn-ike
            protocol: UDP
```

It would be good to have this definable in the metadata.yaml containers setting, rather than have to work around the limitation e.g. https://github.com/danackerson/wireguard-sidecar/blob/81bedf5d4c9299e96b9321fe342cb55bc0614a3c/src/charm.py#L103

Tags:

Revision history for this message

Ben Hoyt (benhoyt) wrote on 2021-10-27:

This seems like a reasonable feature request. For now, the workaround of hitting the K8s API directly is good -- this has been our go-to workaround for missing features in sidecar charms (where you're not producing the pod-spec directly).

Changed in juju:
status:	New → Confirmed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.