I have a Helm chart and in the values.yaml file, I have a default securityContext defined that follows the restricted PSS.

By default, I want the user to use the restricted PSS, but I also want them to be able to modify it if required.

Heres the relevant section of my values.yaml:

security:
  containerSecurityContext:
    privileged: false
    allowPrivilegeEscalation: false
    # readOnlyRootFilesystem:
    runAsNonRoot: true
    runAsUser: 10001
    runAsGroup: 10001
    fsGroup: 10001
    capabilities:
      drop:
      - ALL
      add:
      - "NET_BIND_SERVICE"
    seccompProfile:
      type: "RuntimeDefault"

And here is where this is used in my chart:

      containers:
        - name: {{ include "chart.name" . }}
          {{- with .Values.security.containerSecurityContext }}
          securityContext:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          {{- with .Values.image }}
          image: {{ printf "%s/%s:%s" (required "An image.registry value is required!" .registry) (required "An image.repository value is required!" .repository) (required "An image.tag value is required!" .tag) | quote }}
          imagePullPolicy: {{ .pullPolicy }}

Using the default value in within the values.yaml is fine, but when setting a value to use, I get some unexpected behaviour.

When I set only 1 of the fields within the security.containerSecurityContext definition, only that 1 value is set and all the others remain as the default, but what I actually want is, if the user defines ANYTHING within the security.containerSecurityContext definition, then I don’t want ANY of the default values being used, I want ONLY the user’s set values being used.

So currently, the behaviour is this:
helm template . --set security.containerSecurityContext.runAsUser=1

      containers:
        - name: release-name
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              add:
              - NET_BIND_SERVICE
              drop:
              - ALL
            fsGroup: 10001
            privileged: false
            runAsGroup: 10001
            runAsNonRoot: true
            runAsUser: 1      // The value is set, but the others still remain the same
            seccompProfile:
              type: RuntimeDefault

But really, the output I want should be:

      containers:
        - name: release-name
          securityContext:
            runAsUser: 1          // I want only the users definition to be used

This behaviour is not a bug or anything, it makes sense, I just don’t want my chart to behave in this way and I’m not sure how I achieve what I want.

My first thought is to have a helper in _helpers.tpl that contains the defaults I want, then to use default and toYaml in order to use this config by default, but I’m not sure that is the best approach.