Schema.json drop 'required' for security contexts#17
Open
user170200 wants to merge 2 commits into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
Adjusts the Helm chart JSON schema to better support platforms (e.g., OpenShift/OKD with SCCs) where fsGroup/runAsUser may need to be omitted so the platform can default them per-namespace.
Changes:
- Removes
requiredconstraints forpodSecurityContext.fsGroup. - Removes
requiredconstraints forsecurityContext.capabilities.drop. - Removes
requiredconstraints forsecurityContextfields (capabilities,runAsNonRoot,runAsUser).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…security constraints only set them automatically IF they are null (non-present, breaking required)
Author
|
Verified the behavior described by CoPilot and applied the changes: Let the fsGroup and runAsUser be of Updated the commit to stay clean |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Background
Platforms with security contexts (SCCs), such as Openshift (or OKD) require specific values for fsGroup or runAsUser.
The final values are namespace-dependent - a security feature of these platforms.
It would be rather messy to retrieve the dynamically required values from the platform and generate a custom value.yaml for each stage+namespace.
However, platforms using SCCs can set these values automatically, given they are non-present or set to NULL.
The Problem
The values.schema.json sets these properties as 'required'.
If they are set to null, each helm command must use the
--skip-schema-validationor fail.A possible solution
Dropping these fields to be 'required' - They can still be set, they still show up normally, but are nullable and support platforms with SCCs.