[Feature] Allow to customize Security Context (#588)

Author: ajanikow

CHANGELOG.md

@@ -9,6 +9,7 @@
 - Allow to customize ID Pod selectors
 - Add Label and Envs Pod customization
 - Improved JWT Rotation
+- Allow to customize Security Context in pods
 
 ## [1.0.3](https://github.com/arangodb/kube-arangodb/tree/1.0.3) (2020-05-25)
 - Prevent deletion of not known PVC's

pkg/apis/deployment/v1/server_group_spec.go

@@ -100,6 +100,13 @@ type ServerGroupSpecSecurityContext struct {
 	DropAllCapabilities *bool `json:"dropAllCapabilities,omitempty"`
 	// AddCapabilities add new capabilities to containers
 	AddCapabilities []core.Capability `json:"addCapabilities,omitempty"`
+
+	AllowPrivilegeEscalation *bool  `json:"allowPrivilegeEscalation,omitempty"`
+	Privileged               *bool  `json:"privileged,omitempty"`
+	ReadOnlyRootFilesystem   *bool  `json:"readOnlyFileSystem,omitempty"`
+	RunAsNonRoot             *bool  `json:"runAsNonRoot,omitempty"`
+	RunAsUser                *int64 `json:"runAsUser,omitempty"`
+	RunAsGroup               *int64 `json:"runAsGroup,omitempty"`
 }
 
 // GetDropAllCapabilities returns flag if capabilities should be dropped
@@ -134,6 +141,15 @@ func (s *ServerGroupSpecSecurityContext) GetAddCapabilities() []core.Capability
 func (s *ServerGroupSpecSecurityContext) NewSecurityContext() *core.SecurityContext {
 	r := &core.SecurityContext{}
 
+	if s != nil {
+		r.AllowPrivilegeEscalation = s.AllowPrivilegeEscalation
+		r.Privileged = s.Privileged
+		r.ReadOnlyRootFilesystem = s.ReadOnlyRootFilesystem
+		r.RunAsNonRoot = s.RunAsNonRoot
+		r.RunAsUser = s.RunAsUser
+		r.RunAsGroup = s.RunAsGroup
+	}
+
 	capabilities := &core.Capabilities{}
 
 	if s.GetDropAllCapabilities() {