Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

helm: refine openshift-values.yaml for assigned UID ranges (#8396) 

* helm: refine openshift-values.yaml to remove hardcoded UIDs

Remove hardcoded runAsUser, runAsGroup, and fsGroup from the
openshift-values.yaml example. This allows OpenShift's admission
controller to automatically assign a valid UID from the namespace's
allocated range, avoiding "forbidden" errors when UID 1000 is
outside the permissible range.

Updates #8381, #8390.

* helm: fix volume.logs and add consistent security context comments

* Update README.md
pull/8392/merge
Chris Lu 2 days ago
committed by GitHub
parent
bd0b1fe9d5
commit
2a1ae896e4
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
2 changed files with 31 additions and 29 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 17
      k8s/charts/seaweedfs/README.md
  2. 43
      k8s/charts/seaweedfs/openshift-values.yaml

17
k8s/charts/seaweedfs/README.md
View File

@ -324,6 +324,7 @@ worker:
```
Deploy the specialized workers as separate releases:
### Specialized Worker Deployment
```bash
# Deploy vacuum workers
helm install seaweedfs-worker-vacuum seaweedfs/seaweedfs -f values-worker-vacuum.yaml
@ -332,6 +333,22 @@ helm install seaweedfs-worker-vacuum seaweedfs/seaweedfs -f values-worker-vacuum
helm install seaweedfs-worker-balance seaweedfs/seaweedfs -f values-worker-balance.yaml
```
## OpenShift Support
SeaweedFS can be deployed on OpenShift or any cluster enforcing the Kubernetes "restricted" Pod Security Standard. By default, OpenShift blocks containers that run as root or use `hostPath` volumes.
To deploy on OpenShift, use the provided `openshift-values.yaml` which overrides the default configuration to:
1. Use `PersistentVolumeClaims` instead of `hostPath`.
2. Enable `runAsNonRoot` and omit hardcoded UIDs to allow OpenShift to assign valid UIDs automatically.
3. Apply appropriate `seccompProfile` and drop capabilities.
Usage:
```bash
helm install seaweedfs seaweedfs/seaweedfs \
-n seaweedfs --create-namespace \
-f openshift-values.yaml
```
## Enterprise
For enterprise users, please visit [seaweedfs.com](https://seaweedfs.com) for the SeaweedFS Enterprise Edition,

43
k8s/charts/seaweedfs/openshift-values.yaml
View File

@ -11,11 +11,10 @@
#
# These overrides satisfy all four requirements by:
# 1. Replacing hostPath volumes with PersistentVolumeClaims (or emptyDir for logs)
# 2. Setting runAsUser: 1000 (the "seaweed" user baked into the image)
# 3. Setting fsGroup: 1000 so Kubernetes pre-sets PVC ownership before the
# container starts — the entrypoint's chown -R is then skipped entirely
# 4. Dropping all Linux capabilities and setting allowPrivilegeEscalation: false
# 5. Enabling RuntimeDefault seccompProfile
# 2. Enabling runAsNonRoot: true. By omitting runAsUser, OpenShift will
# automatically assign a valid UID from the namespace's allocated range.
# 3. Dropping all Linux capabilities and setting allowPrivilegeEscalation: false
# 4. Enabling RuntimeDefault seccompProfile
#
# Usage:
# helm install seaweedfs seaweedfs/seaweedfs \
@ -25,13 +24,6 @@
# Adjust storageClass and sizes to match your cluster's available StorageClasses.
# On OpenShift you can discover them with: oc get storageclass
# ── Shared security context helpers ──────────────────────────────────────────
# These are referenced in the per-component sections below.
# If your OpenShift cluster assigns an arbitrary UID (as most do with the
# "restricted" SCC), replace 1000 with the numeric UID in the range shown by:
# oc get project <namespace> -o jsonpath='{.metadata.annotations.openshift\.io/sa\.scc\.uid-range}'
# and set the same value for runAsUser across all components.
master:
data:
type: "persistentVolumeClaim"
@ -43,9 +35,8 @@ master:
podSecurityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000 # Kubernetes sets PVC ownership to this GID before container start
# On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
# controller assign them automatically based on the namespace's SCC.
runAsNonRoot: true
containerSecurityContext:
@ -54,7 +45,6 @@ master:
capabilities:
drop: ["ALL"]
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
@ -66,13 +56,13 @@ volume:
storageClass: "" # leave empty to use the cluster default StorageClass
maxVolumes: 0
logs: {} # emptyDir by default (no logs section means no log volume)
logs:
type: "emptyDir"
podSecurityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
# On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
# controller assign them automatically based on the namespace's SCC.
runAsNonRoot: true
containerSecurityContext:
@ -81,7 +71,6 @@ volume:
capabilities:
drop: ["ALL"]
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
@ -96,9 +85,8 @@ filer:
podSecurityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
# On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
# controller assign them automatically based on the namespace's SCC.
runAsNonRoot: true
containerSecurityContext:
@ -107,7 +95,6 @@ filer:
capabilities:
drop: ["ALL"]
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
@ -115,9 +102,8 @@ filer:
s3:
podSecurityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
# On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
# controller assign them automatically based on the namespace's SCC.
runAsNonRoot: true
containerSecurityContext:
@ -126,6 +112,5 @@ s3:
capabilities:
drop: ["ALL"]
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
Write Preview
Loading…
Cancel
Save