fix: correct pod security context block indentation

snyk · Oct 22, 2024 · 8848ba8 · 8848ba8
1 parent 12d4b46
commit 8848ba8
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 13 deletions.
diff --git a/snyk-monitor/templates/deployment.yaml b/snyk-monitor/templates/deployment.yaml
@@ -33,19 +33,19 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
-    {{- with .Values.podSecurityContext }}
-    securityContext:
-    {{- $fsGroupOverride := dict }}
-    {{- if hasKey $.Values.securityContext "fsGroup" }}
-    {{- $fsGroupOverride = dict "fsGroup" (int $.Values.securityContext.fsGroup) }}
-    {{- end }}
-    {{- merge $fsGroupOverride . | toYaml | nindent 8 }}
-    {{- else }}
-    {{- if .Values.securityContext.fsGroup }}
-    securityContext:
-      fsGroup: {{ int .Values.securityContext.fsGroup }}
-    {{- end }}
-    {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+      {{- $fsGroupOverride := dict }}
+      {{- if hasKey $.Values.securityContext "fsGroup" }}
+      {{- $fsGroupOverride = dict "fsGroup" (int $.Values.securityContext.fsGroup) }}
+      {{- end }}
+      {{- merge $fsGroupOverride . | toYaml | nindent 8 }}
+      {{- else }}
+      {{- if .Values.securityContext.fsGroup }}
+      securityContext:
+        fsGroup: {{ int .Values.securityContext.fsGroup }}
+      {{- end }}
+      {{- end }}
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:

diff --git a/test/integration/kubernetes.spec.ts b/test/integration/kubernetes.spec.ts
@@ -776,6 +776,15 @@ test('snyk-monitor secure configuration is as expected', async () => {
     namespace,
   );
   const deployment = response.body;
+  expect(deployment.spec?.template.spec).toEqual(
+    expect.objectContaining({
+      securityContext: {
+        fsGroup: 65534,
+        fsGroupChangePolicy: 'Always',
+      },
+    }),
+  );
+
   expect(deployment.spec?.template?.spec?.containers?.[0]).toEqual(
     expect.objectContaining({
       securityContext: {

diff --git a/test/setup/deployers/helm.ts b/test/setup/deployers/helm.ts
@@ -39,6 +39,7 @@ async function deployKubernetesMonitor(
       '--set rbac.serviceAccount.annotations."foo"="bar" ' +
       '--set volumes.projected.serviceAccountToken=true ' +
       '--set securityContext.fsGroup=65534 ' +
+      '--set podSecurityContext.fsGroupChangePolicy="Always" ' +
       '--set skopeo.compression.level=1 ' +
       '--set workers.count=5 ' +
       '--set sysdig.enabled=true ',