Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chart does not respect securityContext settings #57

Open
jawnsy opened this issue Jun 5, 2022 · 0 comments
Open

Chart does not respect securityContext settings #57

jawnsy opened this issue Jun 5, 2022 · 0 comments

Comments

@jawnsy
Copy link

jawnsy commented Jun 5, 2022

Current behavior

The chart looks for a securityContext.enabled setting, which sets a default security context:

retool-helm/templates/deployment_backend.yaml

Lines 219 to 223 in 1e06cee

{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- end }}

However, the default values file implies that other securityContext settings can be set on the pod, but in fact, those values are ignored:

retool-helm/values.yaml

Lines 271 to 276 in 1e06cee

# default security context
securityContext:
enabled: false
allowPrivilegeEscalation: false
runAsUser: 1000
fsGroup: 2000

Desired behavior

We should be able to configure all of the settings defined in the PodSecurityContext API: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#podsecuritycontext-v1-core

securityContext:
  fsGroup: 1000
  fsGroupChangePolicy: OnRootMismatch
  runAsGroup: 1000
  runAsNonRoot: true
  runAsUser: 1000

I would also expect that we can configure all the SecurityContext settings for the primary retool container

securityContext:
  allowPrivilegeEscalation: false
  privileged: false
  runAsNonRoot: true
  runAsUser: 1000
  runAsGroup: 1000
  readOnlyRootFilesystem: true

These customizations are required because some environments, such as OpenShift, or clusters that enforce restrictive policies using tools like Open Policy Agent Gatekeeper or Kyverno, will not be able to install retool otherwise.

Steps to reproduce

You can see this by running a command like:

$ helm template retool retool/retool \
  --set=image.tag=latest \
  --set=securityContext.enabled=true \
  --set=postgresql.enabled=false \
  --set=ingress.enabled=false \
  --set=securityContext.runAsNonRoot=true

You will see output like the following:

      securityContext:
        runAsUser: 1000
        fsGroup: 2000

It's not possible to override the runAsUser, to add runAsGroup information, or to set runAsNonRoot: true

Other information

Here's my chart version information:

$ helm search repo retool
NAME            CHART VERSION   APP VERSION     DESCRIPTION                
retool/retool   4.10.0                          A Helm chart for Kubernetes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jawnsy