Disable allowPrivilegeEscalation across all charts

[alexellis]

Description

Disable allowPrivilegeEscalation across all charts

Why is this needed?

The "allowPrivilegeEscalation" setting has already been in effect for 10 months for the openfaas Helm chart.

This PR aims to add belt and braces for any other/additional charts and components.

allowPrivilegeEscalation is part of defense in depth to address exploits like CVE-2026-31431 aka "copy.fail"

Who is this for?

All OpenFaaS Standard/Enterprise customers

How Has This Been Tested?

This is an innocuous security setting, no testing needed, beyond linting.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

[reviewfn]

AI Pull Request Overview

Summary

• Disables allowPrivilegeEscalation in securityContext for connectors and control plane components across all charts
• Adds conditional securityContext blocks in deployment templates using Helm values
• Updates README files with helm repo update commands for better user experience
• Applies direct securityContext changes in pro-builder chart

Approval rating (1-10)

8 - Effective security hardening with consistent implementation across most charts, minimal risk of regression

Summary per file

Summary per file

File path	Summary
chart/cron-connector/templates/deployment.yaml	Adds conditional securityContext inclusion
chart/cron-connector/values.yaml	Sets securityContext with allowPrivilegeEscalation: false
chart/gcp-pubsub-connector/values.yaml	Updates securityContext to set allowPrivilegeEscalation: false
chart/headroom-controller/README.md	Adds helm repo update to installation examples
chart/headroom-controller/values.yaml	Sets securityContext with allowPrivilegeEscalation: false
chart/kafka-connector/templates/deployment.yml	Adds conditional securityContext inclusion
chart/kafka-connector/values.yaml	Adds securityContext with allowPrivilegeEscalation: false
chart/mqtt-connector/templates/deployment.yml	Adds conditional securityContext inclusion
chart/mqtt-connector/values.yaml	Adds securityContext with allowPrivilegeEscalation: false
chart/nats-connector/templates/deployment.yml	Adds conditional securityContext inclusion
chart/nats-connector/values.yaml	Adds securityContext with allowPrivilegeEscalation: false
chart/openfaas/README.md	Documents securityContext hardening for Pro components
chart/openfaas/templates/alertmanager-dep.yaml	Adds conditional securityContext inclusion
chart/openfaas/templates/ingress-operator-dep.yaml	Adds conditional securityContext inclusion
chart/openfaas/templates/queueworker-ce-dep.yaml	Adds conditional securityContext inclusion
chart/openfaas/values.yaml	Sets securityContext with allowPrivilegeEscalation: false
chart/postgres-connector/templates/deployment.yml	Adds conditional securityContext inclusion
chart/postgres-connector/values.yaml	Adds securityContext with allowPrivilegeEscalation: false
chart/pro-builder/templates/deployment.yml	Adds allowPrivilegeEscalation: false to existing securityContexts
chart/queue-worker/templates/deployment.yaml	Adds conditional securityContext inclusion
chart/queue-worker/values.yaml	Adds securityContext with allowPrivilegeEscalation: false
chart/rabbitmq-connector/values.yaml	Updates securityContext to set allowPrivilegeEscalation: false
chart/sns-connector/templates/deployment.yml	Adds conditional securityContext inclusion
chart/sns-connector/values.yaml	Adds securityContext with allowPrivilegeEscalation: false
chart/sqs-connector/templates/deployment.yml	Adds conditional securityContext inclusion
chart/sqs-connector/values.yaml	Adds securityContext with allowPrivilegeEscalation: false

Overall Assessment

The PR implements important security hardening by disabling privilege escalation across all Helm charts, providing defense-in-depth against exploits like CVE-2026-31431. The changes are consistent and follow Helm best practices, with low risk of breaking existing functionality given the nature of the setting.

Detailed Review

Detailed Review

Security Context Implementation

The majority of charts correctly implement the securityContext through Helm values, allowing users to override if needed while providing a secure default. The conditional inclusion in templates ({{- if .Values.securityContext }}) ensures backward compatibility.

Inconsistency in pro-builder Chart

The pro-builder chart hardcodes allowPrivilegeEscalation: false directly in the deployment template instead of using the values.yaml pattern seen in other charts. While this achieves the same security outcome, it creates inconsistency in configuration management. Consider refactoring to use values.yaml for consistency with other charts.

README Updates

Adding helm repo update to installation examples is a good practice improvement that prevents stale chart versions being installed.

Potential Impact

Since allowPrivilegeEscalation defaults to true when unset, explicitly setting it to false enhances security without functional impact for typical workloads. No regressions expected, but users should be aware this may affect containers requiring privilege escalation (though such cases are rare and should be carefully reviewed).

Testing Considerations

While the PR notes no testing beyond linting is needed, consider validating that deployments succeed with the new securityContext in a test environment to ensure no unexpected validation errors from the Kubernetes API.

AI agent details.

Agent processing time: 1m35.726s
Environment preparation time: 5.336s
Total time from webhook: 1m51.435s