Configuring Security Context for the connectware-agent Helm Chart

Configuring Security Context

Connectware agents installed using the connectware-agent Helm chart allow changing the security context of executed containers by defining the securityContext and podSecurityContext sections inside the agents entry in the protocolMapperAgents context of your values.yaml file.

It is important to note, that the security context required by the agent is dependent on installed services, so any modifications made should be verified to work with your use case.

Example

protocolMapperAgents:
  - name: bender-robots
    connectwareHost: connectware.cybus # adjust to actual hostname of Connectware
    podSecurityContext:
      runAsUser: 1000
      runAsGroup: 1000

The difference between securityContext and podSecurityContext is, that securityContext puts restrictions on the container, while podSecurityContext puts restrictions on the pod. While this may seem pointless with the agents single container inside its pod, it does play a role when, for example, attaching an ephemeral container to the pod.

Unsetting Security Context

If you set a securityContext or podSecurityContext in the protocolMapperAgentDefaults section of your values.yaml file, you can unset them for individual agents by setting the value of securityContext or podSecurityContext to {} inside the agents entry in the protocolMapperAgents context of your values.yaml.

Example

protocolMapperAgentDefaults:
  connectwareHost: connectware.cybus # adjust to actual hostname of Connectware
  podSecurityContext:
    runAsUser: 1000
    runAsGroup: 1000
protocolMapperAgents:
  - name: bender-robots # this agent will run as user & group 1000
  - name: welder-robots # this agent will not run as user & group 1000
    podSecurityContext: {}