This repository has been archived by the owner on Feb 12, 2024. It is now read-only.
Add openshift support #88
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add Warning comment in the README.md
* Add Security Context Constraint support (SCC)
- Needed in order to run the Pods with arbitrary users in openshift
* Add Route support
- Routes replace Ingress in Openshift. While it is possible to use Ingress objects in Openshift, Routes offer support to some specific features
* Add ServiceAccount to satefulset
- SCC configurations require a target service account in order to set the correct secure context
Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
Using port name will permit variables to change in the future and it also makes it easy to understand where the service is connecting to. Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
As done priviously for NiFi, the following is being added to the CA subchart: * Service account for the deployment * Security Context Constraint (SCC in order to permit the chart to run with arbitrary users (runAsUser and fsGroup) Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
* Add missing labels to ServiceAccount, Route and SCC manifests * Define service account name though a helper in order to have a cleaner code * Change the service account flag from `enabled` to `create` * The Statefulset will always have a service account now however if none is set, it will use the `default` service account, maintaining backwards compatibility Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
…when host is not defined. Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
… change volume permissions unless running as a privileged user. The init container for the CA subchart has to run as uid 0 if we intend on setting fsGroup and runAsUser on the deployment Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
Signed-off-by: Ney Walens De Mesquita <walens@gmail.com>
|
Hi @alexnuttinck, is there anything else I need to do in order to submit this pull request for review? |
alexnuttinck
approved these changes
Oct 12, 2020
There was a problem hiding this comment.
@nwalens nice work :) Think it could help many people working with openshift. It will be present in the next release!
|
Hey, I was just looking at this commit as I’m trying to deploy this helm chart to our AKS cluster but it’s triggering our privileged escalation policies and failing. I’m assuming it’s because the initcontainer is running as user 0 as per this commit but I just wanted to check that this is definitely still required 2 years on before I start having further conversations with my infrastructure team. Many thanks! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Which issue this PR fixes
Special notes for your reviewer:
The chart was tested on an Openshift 4.5 environment.
Checklist