Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/common] Add a possibility to omit empty seLinuxOptions property from non-OpenShift environments #28934

Closed
minijus opened this issue Aug 20, 2024 · 3 comments · Fixed by #28945
Closed

[bitnami/common] Add a possibility to omit empty seLinuxOptions property from non-OpenShift environments #28934

minijus opened this issue Aug 20, 2024 · 3 comments · Fixed by #28945
Assignees
@javsalgar
Labels
common feature-request solved triage Triage is needed

Comments

@minijus
Copy link
Contributor

minijus commented Aug 20, 2024

Name and Version

bitnami/common 2.21.0

What is the problem this feature will solve?

Today many (all?) Bitnami Helm charts set empty object for seLinuxOptions within containerSecurityPolicy, e.g. https://github.com/bitnami/charts/blob/main/bitnami/mongodb/values.yaml#L585

Empty seLinuxOptions property is only removed in OpenShift compatibility mode https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_compatibility.tpl#L28-L35

There are scenarios where OpenShift compatibility mode is not desired, but seLinuxOptions should be removed.
Running on Azure Kubernetes Service (AKS) and using built-in Azure Policy definition: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/SELinux.json at the same time having to set one of "fsGroup" "runAsUser" "runAsGroup" properties with security context.

With scenario mentioned above built-in Azure Policy definition for SELinux fails with the message: "SELinux options is not allowed".

image

What is the feature you are proposing to solve the problem?

Similarly to global.compatibility.openshift.adaptSecurityContext add global.compatibility.omitEmptySeLinuxOptions value and use this value in common.compatibility.renderSecurityContext helper to conditionally omit seLinuxOptions when it is empty/falsy.

Default value for global.compatibility.omitEmptySeLinuxOptions should be false making the change non-breaking.

What alternatives have you considered?

Alternatives to overcome mentioned issue are only local "workarounds":

  • Wrapping Helm chart with kustomize to remove unwanted options
  • Modifying built-in Azure Policy definition
  • Manually removing seLinuxOptions in runtime
@github-actions github-actions bot added the triage Triage is needed label Aug 20, 2024
This was referenced Aug 20, 2024
Merged
Merged
@javsalgar javsalgar changed the title Add a possibility to omit empty seLinuxOptions property from non-OpenShift environments [bitnami/common] Add a possibility to omit empty seLinuxOptions property from non-OpenShift environments Aug 21, 2024
@javsalgar
Copy link
Contributor

Hi!

Thank you so much for the draft! The team will take a look

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 6, 2024

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

@github-actions github-actions bot added the stale 15 days without activity label Sep 6, 2024
@minijus
Copy link
Contributor Author

minijus commented Sep 6, 2024

@javsalgar would you be able to have a look at the PR that addresses this issue?

@github-actions github-actions bot removed the stale 15 days without activity label Sep 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@javsalgar javsalgar

Labels
common feature-request solved triage Triage is needed
Projects
None yet
Milestone
No milestone
2 participants
@javsalgar @minijus