Skip to content

docs: clarify OpenShift runAsUser must be explicitly set to null #789

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AlexKantor87 merged 1 commit into from
Apr 16, 2026
Merged

docs: clarify OpenShift runAsUser must be explicitly set to null #789

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions charts/k8s-reporter/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,14 +172,14 @@ If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/t
| nameOverride | string | `""` | overrides the name used for the created k8s resources. If `fullnameOverride` is provided, it has higher precedence than this one |
| podAnnotations | object | `{}` | any custom annotations to be added to the cronjob |
| podLabels | object | `{}` | custom labels to add to pods |
| reporterConfig.dryRun | bool | `false` | |
| reporterConfig.dryRun | bool | `false` | whether the dry run mode is enabled or not. In dry run mode, the reporter logs the reports to stdout and does not send them to kosli. |
Copy link
Copy Markdown
Contributor

@claude claude Bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: The securityContext description in this table cell is quite dense now that it includes the full example. This is a limitation of helm-docs flattening multi-line comments into a single cell, so there's not much to do here — just flagging for awareness. The source of truth (values.yaml) reads well, which is what matters most.

| reporterConfig.environments | list | `[]` | List of Kosli environments to report to. Each entry has required 'name' and optional namespace selectors. Use one entry to report a single environment; use multiple entries to report to multiple environments with different selectors. Per entry: name (required), namespaces, namespacesRegex, excludeNamespaces, excludeNamespacesRegex (optional). Leave namespace fields unset for an entry to report the entire cluster to that environment. |
| reporterConfig.httpProxy | string | `""` | the http proxy url |
| reporterConfig.kosliOrg | string | `""` | the name of the Kosli org |
| reporterConfig.securityContext | object | `{"allowPrivilegeEscalation":false,"runAsNonRoot":true,"runAsUser":1000}` | the security context for the reporter cronjob Set to null or {} to disable security context entirely (not recommended) For OpenShift, you can omit runAsUser to let OpenShift assign the UID |
| reporterConfig.securityContext | object | `{"allowPrivilegeEscalation":false,"runAsNonRoot":true,"runAsUser":1000}` | the security context for the reporter cronjob. Set to null or {} to disable security context entirely (not recommended). For OpenShift with SCC, explicitly set runAsUser to null to let OpenShift assign the UID from the allowed range. Simply omitting runAsUser from your values override will not work because Helm deep-merges with these defaults. Example OpenShift override: securityContext: allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: null |
| reporterConfig.securityContext.allowPrivilegeEscalation | bool | `false` | whether to allow privilege escalation |
| reporterConfig.securityContext.runAsNonRoot | bool | `true` | whether to run as non root |
| reporterConfig.securityContext.runAsUser | int | `1000` | the user id to run as Omit this field for OpenShift environments to allow automatic UID assignment |
| reporterConfig.securityContext.runAsUser | int | `1000` | the user id to run as. For OpenShift environments with SCC, set to null (runAsUser: null) to allow automatic UID assignment. Simply omitting this field will not work due to Helm's deep merge with chart defaults. |
| resources.limits.cpu | string | `"100m"` | the cpu limit |
| resources.limits.memory | string | `"256Mi"` | the memory limit |
| resources.requests.memory | string | `"64Mi"` | the memory request |
Expand All @@ -190,5 +190,5 @@ If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/t
| successfulJobsHistoryLimit | int | `3` | specifies the number of successful finished jobs to keep |

----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)
Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

19 changes: 14 additions & 5 deletions charts/k8s-reporter/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,16 +70,25 @@ reporterConfig:
# -- the http proxy url
httpProxy: ""

# -- the security context for the reporter cronjob
# Set to null or {} to disable security context entirely (not recommended)
# For OpenShift, you can omit runAsUser to let OpenShift assign the UID
# -- the security context for the reporter cronjob.
# Set to null or {} to disable security context entirely (not recommended).
# For OpenShift with SCC, explicitly set runAsUser to null to let OpenShift
# assign the UID from the allowed range. Simply omitting runAsUser from your
# values override will not work because Helm deep-merges with these defaults.
# Example OpenShift override:
# securityContext:
# allowPrivilegeEscalation: false
# runAsNonRoot: true
# runAsUser: null
Comment on lines +73 to +82
Copy link
Copy Markdown
Contributor

@claude claude Bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice improvement. The example block (lines 79–82) is a great addition — it makes the correct override instantly copy-pasteable for OpenShift users.

securityContext:
# -- whether to allow privilege escalation
allowPrivilegeEscalation: false
# -- whether to run as non root
runAsNonRoot: true
# -- the user id to run as
# Omit this field for OpenShift environments to allow automatic UID assignment
# -- the user id to run as.
# For OpenShift environments with SCC, set to null (runAsUser: null) to allow
# automatic UID assignment. Simply omitting this field will not work due to
# Helm's deep merge with chart defaults.
runAsUser: 1000

# -- map of plain environment variables to inject into the reporter container.
Expand Down
8 changes: 4 additions & 4 deletions docs.kosli.com/content/helm/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,14 +172,14 @@ If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/t
| nameOverride | string | `""` | overrides the name used for the created k8s resources. If `fullnameOverride` is provided, it has higher precedence than this one |
| podAnnotations | object | `{}` | any custom annotations to be added to the cronjob |
| podLabels | object | `{}` | custom labels to add to pods |
| reporterConfig.dryRun | bool | `false` | |
| reporterConfig.dryRun | bool | `false` | whether the dry run mode is enabled or not. In dry run mode, the reporter logs the reports to stdout and does not send them to kosli. |
| reporterConfig.environments | list | `[]` | List of Kosli environments to report to. Each entry has required 'name' and optional namespace selectors. Use one entry to report a single environment; use multiple entries to report to multiple environments with different selectors. Per entry: name (required), namespaces, namespacesRegex, excludeNamespaces, excludeNamespacesRegex (optional). Leave namespace fields unset for an entry to report the entire cluster to that environment. |
| reporterConfig.httpProxy | string | `""` | the http proxy url |
| reporterConfig.kosliOrg | string | `""` | the name of the Kosli org |
| reporterConfig.securityContext | object | `{"allowPrivilegeEscalation":false,"runAsNonRoot":true,"runAsUser":1000}` | the security context for the reporter cronjob Set to null or {} to disable security context entirely (not recommended) For OpenShift, you can omit runAsUser to let OpenShift assign the UID |
| reporterConfig.securityContext | object | `{"allowPrivilegeEscalation":false,"runAsNonRoot":true,"runAsUser":1000}` | the security context for the reporter cronjob. Set to null or {} to disable security context entirely (not recommended). For OpenShift with SCC, explicitly set runAsUser to null to let OpenShift assign the UID from the allowed range. Simply omitting runAsUser from your values override will not work because Helm deep-merges with these defaults. Example OpenShift override: securityContext: allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: null |
| reporterConfig.securityContext.allowPrivilegeEscalation | bool | `false` | whether to allow privilege escalation |
| reporterConfig.securityContext.runAsNonRoot | bool | `true` | whether to run as non root |
| reporterConfig.securityContext.runAsUser | int | `1000` | the user id to run as Omit this field for OpenShift environments to allow automatic UID assignment |
| reporterConfig.securityContext.runAsUser | int | `1000` | the user id to run as. For OpenShift environments with SCC, set to null (runAsUser: null) to allow automatic UID assignment. Simply omitting this field will not work due to Helm's deep merge with chart defaults. |
| resources.limits.cpu | string | `"100m"` | the cpu limit |
| resources.limits.memory | string | `"256Mi"` | the memory limit |
| resources.requests.memory | string | `"64Mi"` | the memory request |
Expand All @@ -190,5 +190,5 @@ If you already run [cert-manager's trust-manager](https://cert-manager.io/docs/t
| successfulJobsHistoryLimit | int | `3` | specifies the number of successful finished jobs to keep |

----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)
Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

Loading