From 2a1ae896e40fa8095a91f402be0ca60898e6b66a Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Fri, 20 Feb 2026 12:05:57 -0800 Subject: [PATCH] helm: refine openshift-values.yaml for assigned UID ranges (#8396) * helm: refine openshift-values.yaml to remove hardcoded UIDs Remove hardcoded runAsUser, runAsGroup, and fsGroup from the openshift-values.yaml example. This allows OpenShift's admission controller to automatically assign a valid UID from the namespace's allocated range, avoiding "forbidden" errors when UID 1000 is outside the permissible range. Updates #8381, #8390. * helm: fix volume.logs and add consistent security context comments * Update README.md --- k8s/charts/seaweedfs/README.md | 17 +++++++++ k8s/charts/seaweedfs/openshift-values.yaml | 43 +++++++--------------- 2 files changed, 31 insertions(+), 29 deletions(-) diff --git a/k8s/charts/seaweedfs/README.md b/k8s/charts/seaweedfs/README.md index a6ca7eac9..3be3ddf53 100644 --- a/k8s/charts/seaweedfs/README.md +++ b/k8s/charts/seaweedfs/README.md @@ -324,6 +324,7 @@ worker: ``` Deploy the specialized workers as separate releases: +### Specialized Worker Deployment ```bash # Deploy vacuum workers helm install seaweedfs-worker-vacuum seaweedfs/seaweedfs -f values-worker-vacuum.yaml @@ -332,6 +333,22 @@ helm install seaweedfs-worker-vacuum seaweedfs/seaweedfs -f values-worker-vacuum helm install seaweedfs-worker-balance seaweedfs/seaweedfs -f values-worker-balance.yaml ``` +## OpenShift Support + +SeaweedFS can be deployed on OpenShift or any cluster enforcing the Kubernetes "restricted" Pod Security Standard. By default, OpenShift blocks containers that run as root or use `hostPath` volumes. + +To deploy on OpenShift, use the provided `openshift-values.yaml` which overrides the default configuration to: +1. Use `PersistentVolumeClaims` instead of `hostPath`. +2. Enable `runAsNonRoot` and omit hardcoded UIDs to allow OpenShift to assign valid UIDs automatically. +3. Apply appropriate `seccompProfile` and drop capabilities. + +Usage: +```bash +helm install seaweedfs seaweedfs/seaweedfs \ + -n seaweedfs --create-namespace \ + -f openshift-values.yaml +``` + ## Enterprise For enterprise users, please visit [seaweedfs.com](https://seaweedfs.com) for the SeaweedFS Enterprise Edition, diff --git a/k8s/charts/seaweedfs/openshift-values.yaml b/k8s/charts/seaweedfs/openshift-values.yaml index 1fd540d13..9d66cbede 100644 --- a/k8s/charts/seaweedfs/openshift-values.yaml +++ b/k8s/charts/seaweedfs/openshift-values.yaml @@ -11,11 +11,10 @@ # # These overrides satisfy all four requirements by: # 1. Replacing hostPath volumes with PersistentVolumeClaims (or emptyDir for logs) -# 2. Setting runAsUser: 1000 (the "seaweed" user baked into the image) -# 3. Setting fsGroup: 1000 so Kubernetes pre-sets PVC ownership before the -# container starts — the entrypoint's chown -R is then skipped entirely -# 4. Dropping all Linux capabilities and setting allowPrivilegeEscalation: false -# 5. Enabling RuntimeDefault seccompProfile +# 2. Enabling runAsNonRoot: true. By omitting runAsUser, OpenShift will +# automatically assign a valid UID from the namespace's allocated range. +# 3. Dropping all Linux capabilities and setting allowPrivilegeEscalation: false +# 4. Enabling RuntimeDefault seccompProfile # # Usage: # helm install seaweedfs seaweedfs/seaweedfs \ @@ -25,13 +24,6 @@ # Adjust storageClass and sizes to match your cluster's available StorageClasses. # On OpenShift you can discover them with: oc get storageclass -# ── Shared security context helpers ────────────────────────────────────────── -# These are referenced in the per-component sections below. -# If your OpenShift cluster assigns an arbitrary UID (as most do with the -# "restricted" SCC), replace 1000 with the numeric UID in the range shown by: -# oc get project -o jsonpath='{.metadata.annotations.openshift\.io/sa\.scc\.uid-range}' -# and set the same value for runAsUser across all components. - master: data: type: "persistentVolumeClaim" @@ -43,9 +35,8 @@ master: podSecurityContext: enabled: true - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 # Kubernetes sets PVC ownership to this GID before container start + # On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission + # controller assign them automatically based on the namespace's SCC. runAsNonRoot: true containerSecurityContext: @@ -54,7 +45,6 @@ master: capabilities: drop: ["ALL"] runAsNonRoot: true - runAsUser: 1000 seccompProfile: type: RuntimeDefault @@ -66,13 +56,13 @@ volume: storageClass: "" # leave empty to use the cluster default StorageClass maxVolumes: 0 - logs: {} # emptyDir by default (no logs section means no log volume) + logs: + type: "emptyDir" podSecurityContext: enabled: true - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 + # On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission + # controller assign them automatically based on the namespace's SCC. runAsNonRoot: true containerSecurityContext: @@ -81,7 +71,6 @@ volume: capabilities: drop: ["ALL"] runAsNonRoot: true - runAsUser: 1000 seccompProfile: type: RuntimeDefault @@ -96,9 +85,8 @@ filer: podSecurityContext: enabled: true - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 + # On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission + # controller assign them automatically based on the namespace's SCC. runAsNonRoot: true containerSecurityContext: @@ -107,7 +95,6 @@ filer: capabilities: drop: ["ALL"] runAsNonRoot: true - runAsUser: 1000 seccompProfile: type: RuntimeDefault @@ -115,9 +102,8 @@ filer: s3: podSecurityContext: enabled: true - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 + # On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission + # controller assign them automatically based on the namespace's SCC. runAsNonRoot: true containerSecurityContext: @@ -126,6 +112,5 @@ s3: capabilities: drop: ["ALL"] runAsNonRoot: true - runAsUser: 1000 seccompProfile: type: RuntimeDefault