helm: refine openshift-values.yaml for assigned UID ranges (#8396)

* helm: refine openshift-values.yaml to remove hardcoded UIDs Remove hardcoded runAsUser, runAsGroup, and fsGroup from the openshift-values.yaml example. This allows OpenShift's admission controller to automatically assign a valid UID from the namespace's allocated range, avoiding "forbidden" errors when UID 1000 is outside the permissible range. Updates #8381, #8390. * helm: fix volume.logs and add consistent security context comments * Update README.md
2026-02-20 12:05:57 -08:00
parent bd0b1fe9d5
commit 2a1ae896e4
2 changed files with 31 additions and 29 deletions
--- a/k8s/charts/seaweedfs/openshift-values.yaml
+++ b/k8s/charts/seaweedfs/openshift-values.yaml
@@ -11,11 +11,10 @@
 #
 # These overrides satisfy all four requirements by:
 #   1. Replacing hostPath volumes with PersistentVolumeClaims (or emptyDir for logs)
-#   2. Setting runAsUser: 1000 (the "seaweed" user baked into the image)
-#   3. Setting fsGroup: 1000 so Kubernetes pre-sets PVC ownership before the
-#      container starts — the entrypoint's chown -R is then skipped entirely
-#   4. Dropping all Linux capabilities and setting allowPrivilegeEscalation: false
-#   5. Enabling RuntimeDefault seccompProfile
+#   2. Enabling runAsNonRoot: true. By omitting runAsUser, OpenShift will
+#      automatically assign a valid UID from the namespace's allocated range.
+#   3. Dropping all Linux capabilities and setting allowPrivilegeEscalation: false
+#   4. Enabling RuntimeDefault seccompProfile
 #
 # Usage:
 #   helm install seaweedfs seaweedfs/seaweedfs \
@@ -25,13 +24,6 @@
 # Adjust storageClass and sizes to match your cluster's available StorageClasses.
 # On OpenShift you can discover them with: oc get storageclass

-# ── Shared security context helpers ──────────────────────────────────────────
-# These are referenced in the per-component sections below.
-# If your OpenShift cluster assigns an arbitrary UID (as most do with the
-# "restricted" SCC), replace 1000 with the numeric UID in the range shown by:
-#   oc get project <namespace> -o jsonpath='{.metadata.annotations.openshift\.io/sa\.scc\.uid-range}'
-# and set the same value for runAsUser across all components.
-
 master:
  data:
    type: "persistentVolumeClaim"
@@ -43,9 +35,8 @@ master:

  podSecurityContext:
    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    fsGroup: 1000           # Kubernetes sets PVC ownership to this GID before container start
+    # On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
+    # controller assign them automatically based on the namespace's SCC.
    runAsNonRoot: true

  containerSecurityContext:
@@ -54,7 +45,6 @@ master:
    capabilities:
      drop: ["ALL"]
    runAsNonRoot: true
-    runAsUser: 1000
    seccompProfile:
      type: RuntimeDefault

@@ -66,13 +56,13 @@ volume:
      storageClass: ""      # leave empty to use the cluster default StorageClass
      maxVolumes: 0

-  logs: {}                  # emptyDir by default (no logs section means no log volume)
+  logs:
+    type: "emptyDir"

  podSecurityContext:
    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    fsGroup: 1000
+    # On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
+    # controller assign them automatically based on the namespace's SCC.
    runAsNonRoot: true

  containerSecurityContext:
@@ -81,7 +71,6 @@ volume:
    capabilities:
      drop: ["ALL"]
    runAsNonRoot: true
-    runAsUser: 1000
    seccompProfile:
      type: RuntimeDefault

@@ -96,9 +85,8 @@ filer:

  podSecurityContext:
    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    fsGroup: 1000
+    # On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
+    # controller assign them automatically based on the namespace's SCC.
    runAsNonRoot: true

  containerSecurityContext:
@@ -107,7 +95,6 @@ filer:
    capabilities:
      drop: ["ALL"]
    runAsNonRoot: true
-    runAsUser: 1000
    seccompProfile:
      type: RuntimeDefault

@@ -115,9 +102,8 @@ filer:
 s3:
  podSecurityContext:
    enabled: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    fsGroup: 1000
+    # On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
+    # controller assign them automatically based on the namespace's SCC.
    runAsNonRoot: true

  containerSecurityContext:
@@ -126,6 +112,5 @@ s3:
    capabilities:
      drop: ["ALL"]
    runAsNonRoot: true
-    runAsUser: 1000
    seccompProfile:
      type: RuntimeDefault