couchdb-helm icon indicating copy to clipboard operation
couchdb-helm copied to clipboard
verified publisher icon apache

helm chart is not picking security context value passed in values.yml

Open AnishaM7 opened this issue 1 year ago • 4 comments

Describe the bug A clear and concise description of what the bug is.

we are deploying couchdb using helm chart. In values yaml we are defining security context as follows

containerSecurityContext:
  fsGroup: 5984
  runAsUser: 5984
  runAsNonRoot: true

But these values are not taken, we are facing below error

Error: container has runAsNonRoot and image will run as root (pod: "couchdb-couchdb-0_octosec-int(82e260ef-3a13-409f-92a5-de0bf9f633ff)", container: init-copy)

could you please let me know how to pass the value

Version of Helm and Kubernetes:

kubectl version Client Version: v1.29.3

Helm version "v3.14.2" What happened:

What you expected to happen:

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know:

AnishaM7 avatar Jun 05 '24 05:06 AnishaM7

What happens if you set the runAsGroup: 5984 as well?

Try these values.

podSecurityContext:
  seccompProfile:
   type: RuntimeDefault
  fsGroup: 5984
  fsGroupChangePolicy: "Always"
containerSecurityContext:
  runAsNonRoot: true
  runAsUser: 5984
  runAsGroup: 5984
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL

bryopsida avatar Jun 08 '24 13:06 bryopsida

yes, we are using security as you mentioned, but we need to add these value in values.yaml file

# -- the initial number of nodes in the CouchDB cluster.
clusterSize: 3

# -- If allowAdminParty is enabled the cluster will start up without any database
# administrator account; i.e., all users will be granted administrative
# access. Otherwise, the system will look for a Secret called
# <ReleaseName>-couchdb containing `adminUsername`, `adminPassword` and
# `cookieAuthSecret` keys. See the `createAdminSecret` flag.
# ref: https://kubernetes.io/docs/concepts/configuration/secret/
allowAdminParty: false


containerSecurityContext:
  fsGroup: 5984
  runAsUser: 5984

when we add here , helm deployment doesnt pick the value please let us know the correct format to include in values file

AnishaM7 avatar Jun 21 '24 05:06 AnishaM7

Hi,

please let me know if i can add these options in values.yaml file used in helm deployment?

podSecurityContext:
  seccompProfile:
   type: RuntimeDefault
  fsGroup: 5984
  fsGroupChangePolicy: "Always"
containerSecurityContext:
  runAsNonRoot: true
  runAsUser: 5984
  runAsGroup: 5984
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL

AnishaM7 avatar Jun 24 '24 11:06 AnishaM7

Hi,

please let me know if i can add these options in values.yaml file used in helm deployment?

podSecurityContext:
  seccompProfile:
   type: RuntimeDefault
  fsGroup: 5984
  fsGroupChangePolicy: "Always"
containerSecurityContext:
  runAsNonRoot: true
  runAsUser: 5984
  runAsGroup: 5984
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL

If I'm understanding what you are asking, yes. Those values are what I use when I'm testing deploying to a namespace with PSA restricted enabled with

helm repo add couchdb https://apache.github.io/couchdb-helm
helm repo update
helm upgrade --install --namespace couchdb couchdb  couchdb/couchdb --version=4.5.6  -f ~/couchdb-test-psa-values.yaml

You can see that the securityContext is applied here when those values are provided.

https://github.com/apache/couchdb-helm/blob/a1dfd8b8a7e365ae1820b7ee1d57a05ca0fd18c5/couchdb/templates/statefulset.yaml#L61

You can combine the above values with the previous values you mentioned as well.

bryopsida avatar Jun 29 '24 02:06 bryopsida