Add securityContext for individual containers in flyte-binary Deployment

[marrrcin]

Why are the changes needed?

Some k8s clusters (including the one I work with) have strict requirements when it comes to securityContext for pods and containers, enforced by tools like Gatekeeper.sh.

These changes introduce the ability to configure securityContext at container level (init containers and the main container) within flyte-binary Helm Chart.

Specifying a securityContext is a Kubernetes best practice, as it allows you to configure various security-related settings (e.g., running as a non-root user, setting read-only file systems, etc.). This helps ensure that deployments adhere to stricter security guidelines and can comply with organizational or regulatory requirements.

What changes were proposed in this pull request?

• Added optional securityContext fields under:
  1. deployment.waitForDB.securityContext for the wait-for-db init container.
  2. deployment.genAdminAuthSecret.securityContext for the gen-admin-auth-secret init container.
  3. deployment.securityContext for the main Flyte container.
• Updated the Helm template (deployment.yaml) to conditionally render these securityContext blocks if they are defined in values.yaml.

These changes allow end users to specify privileged or non-privileged modes, user/group IDs, and other security settings in a flexible manner.

How was this patch tested?

• Helm Installation:
  • Deployed the chart in my own cluster with various securityContext configurations to ensure that the containers correctly applied the specified context (e.g., run as non-root, set read-only file system).
  • Verified that omitting the securityContext in values.yaml falls back to the existing default behavior, ensuring backward compatibility.

No automated tests were added specifically for this change because it primarily involves YAML configuration and conditional Helm templating. However, the local deployment tests validated that the feature works as expected and does not introduce regressions.

Labels

• added (new functionality: new fields and optional configuration for securityContext)

Setup process

No special setup is required. Users can opt in to the new functionality by defining the relevant securityContext fields in their values.yaml.

Screenshots

N/A – the feature pertains to YAML/config changes and does not alter UI/visual output.

Check all the applicable boxes

• I updated the documentation accordingly.
• All new and existing tests passed.
• All commits are signed-off.

Related PRs

N/A

Docs link

N/A

Summary by Bito

This PR enhances the security configuration capabilities of the flyte-binary Helm chart by introducing container-level securityContext settings. The implementation enables individual security context configuration for multiple containers including wait-for-db init container, gen-admin-auth-secret init container, and the main Flyte container. The changes include conditional rendering of securityContext blocks and updated manifest files with new haSharedSecret and checksum values.

Unit tests added: False

Estimated effort to review (1-5, lower is better): 2

[flyte-bot]

Code Review Agent Run #3fc36a

Actionable Suggestions - 1

• charts/flyte-binary/values.yaml - 1

  • Consider default security context settings · Line 308-308

Review Details

• Files reviewed - 5 · Commit Range: 40e404c..40e404c

  • charts/flyte-binary/templates/deployment.yaml
  • charts/flyte-binary/values.yaml
  • docker/sandbox-bundled/manifests/complete-agent.yaml
  • docker/sandbox-bundled/manifests/complete.yaml
  • docker/sandbox-bundled/manifests/dev.yaml
• Files skipped - 1

  • charts/flyte-binary/README.md - Reason: Filter setting
• Tools

  • Golangci-lint (Linter) - ✖︎ Failed
  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

AI Code Review powered by

[flyte-bot]

Changelist by Bito

This pull request implements the following key changes.

Key Change	Files Impacted
Feature Improvement - Enhanced Security Context Configuration	- deployment.yaml - Added conditional securityContext configuration for all containers - values.yaml - Added new securityContext configuration options for containers - complete-agent.yaml - Updated haSharedSecret and checksum values - complete.yaml - Updated haSharedSecret and checksum values - dev.yaml - Updated haSharedSecret and checksum values

[flyte-bot]

Consider default security context settings

Consider adding default security context settings for the wait-for-db init container to follow security best practices. The empty security context {} may not provide adequate security controls.

Code suggestion

Check the AI-generated fix before applying

Suggested change

	securityContext: {}
	securityContext:
	runAsNonRoot: true
	allowPrivilegeEscalation: false
	readOnlyRootFilesystem: true

Code Review Run #3fc36a

---

Is this a valid issue, or was it incorrectly flagged by the Agent?

• it was incorrectly flagged

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 37.04%. Comparing base (7f124ab) to head (40e404c).
Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #6168   +/-   ##
=======================================
  Coverage   37.04%   37.04%           
=======================================
  Files        1318     1318           
  Lines      132583   132583           
=======================================
+ Hits        49109    49115    +6     
+ Misses      79223    79217    -6     
  Partials     4251     4251           

Flag	Coverage Δ
unittests-datacatalog	51.58% <ø> (ø)
unittests-flyteadmin	54.33% <ø> (+0.02%)	⬆️
unittests-flytecopilot	30.99% <ø> (ø)
unittests-flytectl	62.29% <ø> (ø)
unittests-flyteidl	7.23% <ø> (ø)
unittests-flyteplugins	53.85% <ø> (ø)
unittests-flytepropeller	42.66% <ø> (ø)
unittests-flytestdlib	55.08% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[davidmirror-ops]

Thank you @marrrcin !