From 1a581745fd47b14d7be4c03b08e91be89f376acd Mon Sep 17 00:00:00 2001 From: Alex Kantor Date: Thu, 16 Apr 2026 09:41:34 +0100 Subject: [PATCH] docs: clarify OpenShift runAsUser must be set to null, not omitted Helm deep-merges values overrides with chart defaults, so simply omitting runAsUser from a values file does not remove it from the rendered spec. The default of 1000 always survives. For OpenShift environments with SCC, users must explicitly set runAsUser: null. Updated values.yaml comments with a concrete example and explanation. Regenerated README.md and docs site via helm-docs. --- charts/k8s-reporter/README.md | 8 ++++---- charts/k8s-reporter/values.yaml | 19 ++++++++++++++----- docs.kosli.com/content/helm/_index.md | 8 ++++---- 3 files changed, 22 insertions(+), 13 deletions(-) diff --git a/charts/k8s-reporter/README.md b/charts/k8s-reporter/README.md index d9b77585e..4045d19fd 100644 --- a/charts/k8s-reporter/README.md +++ b/charts/k8s-reporter/README.md @@ -172,14 +172,14 @@ If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/t | nameOverride | string | `""` | overrides the name used for the created k8s resources. If `fullnameOverride` is provided, it has higher precedence than this one | | podAnnotations | object | `{}` | any custom annotations to be added to the cronjob | | podLabels | object | `{}` | custom labels to add to pods | -| reporterConfig.dryRun | bool | `false` | | +| reporterConfig.dryRun | bool | `false` | whether the dry run mode is enabled or not. In dry run mode, the reporter logs the reports to stdout and does not send them to kosli. | | reporterConfig.environments | list | `[]` | List of Kosli environments to report to. Each entry has required 'name' and optional namespace selectors. Use one entry to report a single environment; use multiple entries to report to multiple environments with different selectors. Per entry: name (required), namespaces, namespacesRegex, excludeNamespaces, excludeNamespacesRegex (optional). Leave namespace fields unset for an entry to report the entire cluster to that environment. | | reporterConfig.httpProxy | string | `""` | the http proxy url | | reporterConfig.kosliOrg | string | `""` | the name of the Kosli org | -| reporterConfig.securityContext | object | `{"allowPrivilegeEscalation":false,"runAsNonRoot":true,"runAsUser":1000}` | the security context for the reporter cronjob Set to null or {} to disable security context entirely (not recommended) For OpenShift, you can omit runAsUser to let OpenShift assign the UID | +| reporterConfig.securityContext | object | `{"allowPrivilegeEscalation":false,"runAsNonRoot":true,"runAsUser":1000}` | the security context for the reporter cronjob. Set to null or {} to disable security context entirely (not recommended). For OpenShift with SCC, explicitly set runAsUser to null to let OpenShift assign the UID from the allowed range. Simply omitting runAsUser from your values override will not work because Helm deep-merges with these defaults. Example OpenShift override: securityContext: allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: null | | reporterConfig.securityContext.allowPrivilegeEscalation | bool | `false` | whether to allow privilege escalation | | reporterConfig.securityContext.runAsNonRoot | bool | `true` | whether to run as non root | -| reporterConfig.securityContext.runAsUser | int | `1000` | the user id to run as Omit this field for OpenShift environments to allow automatic UID assignment | +| reporterConfig.securityContext.runAsUser | int | `1000` | the user id to run as. For OpenShift environments with SCC, set to null (runAsUser: null) to allow automatic UID assignment. Simply omitting this field will not work due to Helm's deep merge with chart defaults. | | resources.limits.cpu | string | `"100m"` | the cpu limit | | resources.limits.memory | string | `"256Mi"` | the memory limit | | resources.requests.memory | string | `"64Mi"` | the memory request | @@ -190,5 +190,5 @@ If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/t | successfulJobsHistoryLimit | int | `3` | specifies the number of successful finished jobs to keep | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/k8s-reporter/values.yaml b/charts/k8s-reporter/values.yaml index 191e7176a..9ba1339b9 100644 --- a/charts/k8s-reporter/values.yaml +++ b/charts/k8s-reporter/values.yaml @@ -70,16 +70,25 @@ reporterConfig: # -- the http proxy url httpProxy: "" - # -- the security context for the reporter cronjob - # Set to null or {} to disable security context entirely (not recommended) - # For OpenShift, you can omit runAsUser to let OpenShift assign the UID + # -- the security context for the reporter cronjob. + # Set to null or {} to disable security context entirely (not recommended). + # For OpenShift with SCC, explicitly set runAsUser to null to let OpenShift + # assign the UID from the allowed range. Simply omitting runAsUser from your + # values override will not work because Helm deep-merges with these defaults. + # Example OpenShift override: + # securityContext: + # allowPrivilegeEscalation: false + # runAsNonRoot: true + # runAsUser: null securityContext: # -- whether to allow privilege escalation allowPrivilegeEscalation: false # -- whether to run as non root runAsNonRoot: true - # -- the user id to run as - # Omit this field for OpenShift environments to allow automatic UID assignment + # -- the user id to run as. + # For OpenShift environments with SCC, set to null (runAsUser: null) to allow + # automatic UID assignment. Simply omitting this field will not work due to + # Helm's deep merge with chart defaults. runAsUser: 1000 # -- map of plain environment variables to inject into the reporter container. diff --git a/docs.kosli.com/content/helm/_index.md b/docs.kosli.com/content/helm/_index.md index d9b77585e..4045d19fd 100644 --- a/docs.kosli.com/content/helm/_index.md +++ b/docs.kosli.com/content/helm/_index.md @@ -172,14 +172,14 @@ If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/t | nameOverride | string | `""` | overrides the name used for the created k8s resources. If `fullnameOverride` is provided, it has higher precedence than this one | | podAnnotations | object | `{}` | any custom annotations to be added to the cronjob | | podLabels | object | `{}` | custom labels to add to pods | -| reporterConfig.dryRun | bool | `false` | | +| reporterConfig.dryRun | bool | `false` | whether the dry run mode is enabled or not. In dry run mode, the reporter logs the reports to stdout and does not send them to kosli. | | reporterConfig.environments | list | `[]` | List of Kosli environments to report to. Each entry has required 'name' and optional namespace selectors. Use one entry to report a single environment; use multiple entries to report to multiple environments with different selectors. Per entry: name (required), namespaces, namespacesRegex, excludeNamespaces, excludeNamespacesRegex (optional). Leave namespace fields unset for an entry to report the entire cluster to that environment. | | reporterConfig.httpProxy | string | `""` | the http proxy url | | reporterConfig.kosliOrg | string | `""` | the name of the Kosli org | -| reporterConfig.securityContext | object | `{"allowPrivilegeEscalation":false,"runAsNonRoot":true,"runAsUser":1000}` | the security context for the reporter cronjob Set to null or {} to disable security context entirely (not recommended) For OpenShift, you can omit runAsUser to let OpenShift assign the UID | +| reporterConfig.securityContext | object | `{"allowPrivilegeEscalation":false,"runAsNonRoot":true,"runAsUser":1000}` | the security context for the reporter cronjob. Set to null or {} to disable security context entirely (not recommended). For OpenShift with SCC, explicitly set runAsUser to null to let OpenShift assign the UID from the allowed range. Simply omitting runAsUser from your values override will not work because Helm deep-merges with these defaults. Example OpenShift override: securityContext: allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: null | | reporterConfig.securityContext.allowPrivilegeEscalation | bool | `false` | whether to allow privilege escalation | | reporterConfig.securityContext.runAsNonRoot | bool | `true` | whether to run as non root | -| reporterConfig.securityContext.runAsUser | int | `1000` | the user id to run as Omit this field for OpenShift environments to allow automatic UID assignment | +| reporterConfig.securityContext.runAsUser | int | `1000` | the user id to run as. For OpenShift environments with SCC, set to null (runAsUser: null) to allow automatic UID assignment. Simply omitting this field will not work due to Helm's deep merge with chart defaults. | | resources.limits.cpu | string | `"100m"` | the cpu limit | | resources.limits.memory | string | `"256Mi"` | the memory limit | | resources.requests.memory | string | `"64Mi"` | the memory request | @@ -190,5 +190,5 @@ If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/t | successfulJobsHistoryLimit | int | `3` | specifies the number of successful finished jobs to keep | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)