charts icon indicating copy to clipboard operation
charts copied to clipboard
verified publisher icon cloudnative-pg

Make container securityContext optional for OpenShift compatibility

Open BlueCog opened this issue 1 year ago • 2 comments

Summary:

This pull request adds a new configuration option to make the container-level securityContext optional in the CloudNativePG Helm chart. This change improves compatibility with OpenShift by allowing users to disable the container securityContext when deploying the operator.

Background:

When deploying the CloudNativePG operator on OpenShift, the predefined container securityContext can cause conflicts due to OpenShift's strict security policies. OpenShift manages user and group IDs dynamically and does not allow containers to run as a specific user or group unless explicitly permitted. Hardcoded runAsUser and runAsGroup values (values.yaml) in the container securityContext may prevent pods from starting on OpenShift clusters.

Changes Introduced:

  • Added a new boolean flag enableSecurityContext under containerSecurityContext in values.yaml, defaulting to true to maintain existing behavior.
  • Modified deployment.yaml to include the container securityContext only when enableSecurityContext is set to true.
  • Updated the README.md to document the new configuration option and guide users on how to use it.

Benefits:

  • Flexibility: Users can now disable the container securityContext when deploying to OpenShift or other environments with strict security constraints.
  • Compatibility: Resolves deployment issues on OpenShift by preventing conflicts with the platform's security policies.
  • Maintainability: Maintains the default behavior for existing users while providing an option for those who need it.

Usage Example:

To disable the container securityContext on OpenShift, set enableSecurityContext to false in your custom values/override file:

containerSecurityContext:
  enableSecurityContext: false

Testing:

  • Verified that the operator deploys successfully on OpenShift with enableSecurityContext set to false.
  • Confirmed that the default behavior remains unchanged when the flag is set to true.

BlueCog avatar Nov 11 '24 12:11 BlueCog

@sxd I yield here to your opinion for review/approval.

itay-grudev avatar Dec 07 '24 14:12 itay-grudev

Hi, Will this PR be merged ? As described in https://github.com/cloudnative-pg/charts/issues/498, we can effectively set containerSecurityContext.runAsUser and containerSecurityContext.runAsGroup to null. It works for dependency charts as well (since the Helm bug got fixed). But when using with Argocd, it doesn't work because null value got stripped. Usually we could also set to false instead of null but this chart schema validation prevents it.

We will understand if you may not even want to fix since it's effectively Argocd bug. We just wanted to get this statuated to see if we need to look for an alternatives way.

Falltrades avatar Sep 10 '25 06:09 Falltrades