helm: refine openshift-values.yaml for assigned UID ranges (#8396)

* helm: refine openshift-values.yaml to remove hardcoded UIDs Remove hardcoded runAsUser, runAsGroup, and fsGroup from the openshift-values.yaml example. This allows OpenShift's admission controller to automatically assign a valid UID from the namespace's allocated range, avoiding "forbidden" errors when UID 1000 is outside the permissible range. Updates #8381, #8390. * helm: fix volume.logs and add consistent security context comments * Update README.md
2026-02-20 12:05:57 -08:00
parent bd0b1fe9d5
commit 2a1ae896e4
2 changed files with 31 additions and 29 deletions
--- a/k8s/charts/seaweedfs/README.md
+++ b/k8s/charts/seaweedfs/README.md
@@ -324,6 +324,7 @@ worker:
 ```
 Deploy the specialized workers as separate releases:
 ### Specialized Worker Deployment
 ```bash
 # Deploy vacuum workers
 helm install seaweedfs-worker-vacuum seaweedfs/seaweedfs -f values-worker-vacuum.yaml
@@ -332,6 +333,22 @@ helm install seaweedfs-worker-vacuum seaweedfs/seaweedfs -f values-worker-vacuum
 helm install seaweedfs-worker-balance seaweedfs/seaweedfs -f values-worker-balance.yaml
 ```
 ## OpenShift Support
 SeaweedFS can be deployed on OpenShift or any cluster enforcing the Kubernetes "restricted" Pod Security Standard. By default, OpenShift blocks containers that run as root or use `hostPath` volumes.
 To deploy on OpenShift, use the provided `openshift-values.yaml` which overrides the default configuration to:
 1. Use `PersistentVolumeClaims` instead of `hostPath`.
 2. Enable `runAsNonRoot` and omit hardcoded UIDs to allow OpenShift to assign valid UIDs automatically.
 3. Apply appropriate `seccompProfile` and drop capabilities.
 Usage:
 ```bash
 helm install seaweedfs seaweedfs/seaweedfs \
  -n seaweedfs --create-namespace \
  -f openshift-values.yaml
 ```
 ## Enterprise
 For enterprise users, please visit [seaweedfs.com](https://seaweedfs.com) for the SeaweedFS Enterprise Edition, 
--- a/k8s/charts/seaweedfs/openshift-values.yaml
+++ b/k8s/charts/seaweedfs/openshift-values.yaml
@@ -11,11 +11,10 @@
 #
 # These overrides satisfy all four requirements by:
 #   1. Replacing hostPath volumes with PersistentVolumeClaims (or emptyDir for logs)
-#   2. Setting runAsUser: 1000 (the "seaweed" user baked into the image)
+#   2. Enabling runAsNonRoot: true. By omitting runAsUser, OpenShift will
-#   3. Setting fsGroup: 1000 so Kubernetes pre-sets PVC ownership before the
+#      automatically assign a valid UID from the namespace's allocated range.
-#      container starts — the entrypoint's chown -R is then skipped entirely
+#   3. Dropping all Linux capabilities and setting allowPrivilegeEscalation: false
-#   4. Dropping all Linux capabilities and setting allowPrivilegeEscalation: false
+#   4. Enabling RuntimeDefault seccompProfile
 #   5. Enabling RuntimeDefault seccompProfile
 #
 # Usage:
 #   helm install seaweedfs seaweedfs/seaweedfs \
@@ -25,13 +24,6 @@
 # Adjust storageClass and sizes to match your cluster's available StorageClasses.
 # On OpenShift you can discover them with: oc get storageclass
 # ── Shared security context helpers ──────────────────────────────────────────
 # These are referenced in the per-component sections below.
 # If your OpenShift cluster assigns an arbitrary UID (as most do with the
 # "restricted" SCC), replace 1000 with the numeric UID in the range shown by:
 #   oc get project <namespace> -o jsonpath='{.metadata.annotations.openshift\.io/sa\.scc\.uid-range}'
 # and set the same value for runAsUser across all components.
 master:
  data:
    type: "persistentVolumeClaim"
@@ -43,9 +35,8 @@ master:
  podSecurityContext:
    enabled: true
-    runAsUser: 1000
+    # On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
-    runAsGroup: 1000
+    # controller assign them automatically based on the namespace's SCC.
    fsGroup: 1000           # Kubernetes sets PVC ownership to this GID before container start
    runAsNonRoot: true
  containerSecurityContext:
@@ -54,7 +45,6 @@ master:
    capabilities:
      drop: ["ALL"]
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: RuntimeDefault
@@ -66,13 +56,13 @@ volume:
      storageClass: ""      # leave empty to use the cluster default StorageClass
      maxVolumes: 0
-  logs: {}                  # emptyDir by default (no logs section means no log volume)
+  logs:
    type: "emptyDir"
  podSecurityContext:
    enabled: true
-    runAsUser: 1000
+    # On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
-    runAsGroup: 1000
+    # controller assign them automatically based on the namespace's SCC.
    fsGroup: 1000
    runAsNonRoot: true
  containerSecurityContext:
@@ -81,7 +71,6 @@ volume:
    capabilities:
      drop: ["ALL"]
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: RuntimeDefault
@@ -96,9 +85,8 @@ filer:
  podSecurityContext:
    enabled: true
-    runAsUser: 1000
+    # On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
-    runAsGroup: 1000
+    # controller assign them automatically based on the namespace's SCC.
    fsGroup: 1000
    runAsNonRoot: true
  containerSecurityContext:
@@ -107,7 +95,6 @@ filer:
    capabilities:
      drop: ["ALL"]
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: RuntimeDefault
@@ -115,9 +102,8 @@ filer:
 s3:
  podSecurityContext:
    enabled: true
-    runAsUser: 1000
+    # On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
-    runAsGroup: 1000
+    # controller assign them automatically based on the namespace's SCC.
    fsGroup: 1000
    runAsNonRoot: true
  containerSecurityContext:
@@ -126,6 +112,5 @@ s3:
    capabilities:
      drop: ["ALL"]
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: RuntimeDefault