-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add security context for statefulset and post-upgrade/install jobs #1085
Conversation
Tzahi Grodzevsky seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @tzahigro1,
I don't have problem with that implementation, but there are dedicated values for post jobs
helm-charts/charts/redpanda/values.yaml
Lines 568 to 608 in 90d3dbb
post_install_job: | |
enabled: true | |
# Resource requests and limits for the post-install batch job | |
# resources: | |
# requests: | |
# cpu: 1 | |
# memory: 512Mi | |
# limits: | |
# cpu: 2 | |
# memory: 1024Mi | |
# labels: {} | |
# annotations: {} | |
affinity: {} | |
post_upgrade_job: | |
enabled: true | |
# Resource requests and limits for the post-upgrade batch job | |
# resources: | |
# requests: | |
# cpu: 1 | |
# memory: 512Mi | |
# limits: | |
# cpu: 2 | |
# memory: 1024Mi | |
# labels: {} | |
# annotations: {} | |
# Additional environment variables for the Post Upgrade Job | |
# extraEnv: | |
# - name: AWS_SECRET_ACCESS_KEY | |
# valueFrom: | |
# secretKeyRef: | |
# name: my-secret | |
# key: redpanda-aws-secret-access-key | |
# Additional environment variables for the Post Upgrade Job mapped from Secret or ConfigMap | |
# extraEnvFrom: | |
# - secretRef: | |
# name: redpanda-aws-secrets | |
affinity: {} | |
# When helm upgrade is performed the post-upgrade job is scheduled before Statefulset successfully finish | |
# its rollout. User can extend Job default backoff limit of `6`. | |
# backoffLimit: |
which could have that securityContext part.
It would be good, as a follow up, to give users ability to change the securityContext per container.
Could you bump the following semver? The patch version should suffice.
helm-charts/charts/redpanda/Chart.yaml
Line 26 in 90d3dbb
version: 5.7.33 |
Could you signed CLA?
I see that CLA is signed. I will bump Chart.yaml quickly. |
Yes I saw that but upon looking at the previous implementation the "runAsUser" and "runAsGroup" values come from there so I figured its the place to add it. |
for example in the existing _helpers.tpl |
b71a457
to
fe23e9a
Compare
@tzahigro1 I agree with you that this needs to be refactored. I will create follow up to address that. |
… in values.yaml and _helpers.tpl
…elm-charts into tz/security-context
Head branch was pushed to by a user without write access
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great to see that improvement!
You can always extend the values.yaml with commented example and defines new fields in values.schema.json
Head branch was pushed to by a user without write access
d62dd72
to
4a15fee
Compare
The CLA is bugged because I made commits from user without proper email address format , I re-wrote the commit history with my correct email. |
@alejandroEsc , @chrisseto please review :) |
I see that the PR is merged but don't see any new chart released? |
@tzahigro1 The chart.yaml was not changed. Probably by rebasing the semver bump was missed. If CI passes for #1087, then your changes would be included in new chart release. |
This PR adds the option to configure "runAsNonRoot" and "allowPrivilegeEscalation" fields under "securityContext" for the statefulset , post-install-upgrade-job and post-upgrade job inside the values file under statefulset.securityContext.allowPrivilegeEscalation and statefulset.securityContext.runAsNonRoot