Allow changing acmesolver pod SecurityContext

Inspired by [this reddit thread](https://www.reddit.com/r/kubernetes/comments/vwh52u/certmanager_securitycontext_and_solver/)

We currently hardcode a pod security context when we create acmesolver pods:

https://github.com/cert-manager/cert-manager/blob/33c7c298b19364d66f6b3f23de7796b4b5c635ee/pkg/issuer/acme/http/pod.go#L176-L181

This enforces `RunAsNonRoot` which is a sane default given that we run as `USER 1000` in our [container](https://github.com/cert-manager/cert-manager/blob/33c7c298b19364d66f6b3f23de7796b4b5c635ee/hack/containers/Containerfile.acmesolver#L5).

However, some tools will inject init containers for pods for whatever reason. An example is https://github.com/k8tz/k8tz

If those init containers violate the pod security context, acmesolver will fail to start. k8tz has [fixed](https://github.com/k8tz/k8tz/releases/tag/v0.5.1) their containers running as root, but the risk remains that other tools might need to run as root (or maybe use a more expansive seccomp profile or something).

It would be nice for the security context to be configurable for users.

/kind feature


	SecurityContext: &corev1.PodSecurityContext{
	RunAsNonRoot: pointer.BoolPtr(true),
	SeccompProfile: &corev1.SeccompProfile{
	Type: corev1.SeccompProfileTypeRuntimeDefault,
	},
	},

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Allow changing acmesolver pod SecurityContext #5295

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Allow changing acmesolver pod SecurityContext #5295

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions