Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow empty securityContext #1462

Merged
merged 1 commit into from
Mar 14, 2023
Merged

Allow empty securityContext #1462

merged 1 commit into from
Mar 14, 2023

Conversation

cniackz
Copy link
Contributor

@cniackz cniackz commented Feb 23, 2023

Objective:

Avoid hardcoding values that are not part of any security context constraint and allow Tenant to be deployed without changing scc in OpenShift as Operator logic is currently not allowing empty securityContext for Tenant and this is totally wrong!.

@cniackz cniackz requested a review from allanrogerr February 23, 2023 18:43
@cniackz cniackz mentioned this pull request Feb 23, 2023
Closed
@cniackz cniackz self-assigned this Feb 23, 2023
@dnskr
Copy link
Contributor

dnskr commented Mar 3, 2023
edited
Loading

@cniackz I think there is a similar issue for Prometheus and its init container.
Also unfortunately there is no way to specify security context for Prometheus init container what makes it impossible to use on OpenShift.

operator/pkg/resources/statefulsets/prometheus.go

Lines 207 to 214 in f6c9c8b

var runAsUser int64
runAsNonRoot := false
allowPrivilegeEscalation := true
initContainerSecurityContext = corev1.SecurityContext{
RunAsUser: &runAsUser,
RunAsNonRoot: &runAsNonRoot,
AllowPrivilegeEscalation: &allowPrivilegeEscalation,
}

I.e. Prometheus cannot start on OpenShift, because initContainer[0].securityContext.runAsUser is 0.

@cniackz cniackz requested a review from allanrogerr March 13, 2023 20:36
@cniackz
Copy link
Contributor Author

cniackz commented Mar 13, 2023
edited
Loading

Thank you @dnskr but we are deprecating Prometheus for time being. We can open a separate PR for that if this feature comes back again. Or if I am mistaken we can have separate PR for it. For now, let's focus on the Tenant deployment in OpenShift at least.

@cniackz cniackz added the bug Something isn't working label Mar 13, 2023
@cniackz cniackz force-pushed the removing-hardcoded-users branch from 985e8d3 to beff78f Compare March 13, 2023 20:41
@cniackz cniackz requested review from reivaj05, pjuarezd and harshavardhana and removed request for dilverse March 13, 2023 20:57
@cniackz
Copy link
Contributor Author

cniackz commented Mar 13, 2023

All tests passing now!:

Screenshot 2023-03-13 at 5 30 25 PM

allanrogerr
allanrogerr approved these changes Mar 13, 2023
View reviewed changes
Copy link
Contributor

@allanrogerr allanrogerr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@allanrogerr allanrogerr merged commit 11e20b4 into master Mar 14, 2023
@allanrogerr allanrogerr deleted the removing-hardcoded-users branch March 14, 2023 03:19
@dvaldivia dvaldivia mentioned this pull request Jul 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@allanrogerr allanrogerr allanrogerr approved these changes

@pjuarezd pjuarezd pjuarezd approved these changes

@dvaldivia dvaldivia Awaiting requested review from dvaldivia

@reivaj05 reivaj05 Awaiting requested review from reivaj05

@harshavardhana harshavardhana Awaiting requested review from harshavardhana

Assignees

@cniackz cniackz

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@cniackz @dnskr @pjuarezd @allanrogerr @dvaldivia