gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

helm: refine openshift-values.yaml for assigned UID ranges (#8396)

Browse Source 
* helm: refine openshift-values.yaml to remove hardcoded UIDs

Remove hardcoded runAsUser, runAsGroup, and fsGroup from the
openshift-values.yaml example. This allows OpenShift's admission
controller to automatically assign a valid UID from the namespace's
allocated range, avoiding "forbidden" errors when UID 1000 is
outside the permissible range.

Updates #8381, #8390.

* helm: fix volume.logs and add consistent security context comments

* Update README.md
This commit is contained in:
Chris Lu
2026-02-20 12:05:57 -08:00
committed by GitHub
parent bd0b1fe9d5
commit 2a1ae896e4
2 changed files with 31 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
k8s/charts/seaweedfs/README.md
View File

@@ -324,6 +324,7 @@ worker:
```
Deploy the specialized workers as separate releases:
### Specialized Worker Deployment
```bash
# Deploy vacuum workers
helm install seaweedfs-worker-vacuum seaweedfs/seaweedfs -f values-worker-vacuum.yaml
@@ -332,6 +333,22 @@ helm install seaweedfs-worker-vacuum seaweedfs/seaweedfs -f values-worker-vacuum
helm install seaweedfs-worker-balance seaweedfs/seaweedfs -f values-worker-balance.yaml
```
## OpenShift Support
SeaweedFS can be deployed on OpenShift or any cluster enforcing the Kubernetes "restricted" Pod Security Standard. By default, OpenShift blocks containers that run as root or use `hostPath` volumes.
To deploy on OpenShift, use the provided `openshift-values.yaml` which overrides the default configuration to:
1. Use `PersistentVolumeClaims` instead of `hostPath`.
2. Enable `runAsNonRoot` and omit hardcoded UIDs to allow OpenShift to assign valid UIDs automatically.
3. Apply appropriate `seccompProfile` and drop capabilities.
Usage:
```bash
helm install seaweedfs seaweedfs/seaweedfs \
-n seaweedfs --create-namespace \
-f openshift-values.yaml
```
## Enterprise
For enterprise users, please visit [seaweedfs.com](https://seaweedfs.com) for the SeaweedFS Enterprise Edition,

43
k8s/charts/seaweedfs/openshift-values.yaml
View File

@@ -11,11 +11,10 @@
#
# These overrides satisfy all four requirements by:
# 1. Replacing hostPath volumes with PersistentVolumeClaims (or emptyDir for logs)
# 2. Setting runAsUser: 1000 (the "seaweed" user baked into the image)
# 3. Setting fsGroup: 1000 so Kubernetes pre-sets PVC ownership before the
# container starts — the entrypoint's chown -R is then skipped entirely
# 4. Dropping all Linux capabilities and setting allowPrivilegeEscalation: false
# 5. Enabling RuntimeDefault seccompProfile
# 2. Enabling runAsNonRoot: true. By omitting runAsUser, OpenShift will
# automatically assign a valid UID from the namespace's allocated range.
# 3. Dropping all Linux capabilities and setting allowPrivilegeEscalation: false
# 4. Enabling RuntimeDefault seccompProfile
#
# Usage:
# helm install seaweedfs seaweedfs/seaweedfs \
@@ -25,13 +24,6 @@
# Adjust storageClass and sizes to match your cluster's available StorageClasses.
# On OpenShift you can discover them with: oc get storageclass
# ── Shared security context helpers ──────────────────────────────────────────
# These are referenced in the per-component sections below.
# If your OpenShift cluster assigns an arbitrary UID (as most do with the
# "restricted" SCC), replace 1000 with the numeric UID in the range shown by:
# oc get project <namespace> -o jsonpath='{.metadata.annotations.openshift\.io/sa\.scc\.uid-range}'
# and set the same value for runAsUser across all components.
master:
data:
type: "persistentVolumeClaim"
@@ -43,9 +35,8 @@ master:
podSecurityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000 # Kubernetes sets PVC ownership to this GID before container start
# On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
# controller assign them automatically based on the namespace's SCC.
runAsNonRoot: true
containerSecurityContext:
@@ -54,7 +45,6 @@ master:
capabilities:
drop: ["ALL"]
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
@@ -66,13 +56,13 @@ volume:
storageClass: "" # leave empty to use the cluster default StorageClass
maxVolumes: 0
logs: {} # emptyDir by default (no logs section means no log volume)
logs:
type: "emptyDir"
podSecurityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
# On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
# controller assign them automatically based on the namespace's SCC.
runAsNonRoot: true
containerSecurityContext:
@@ -81,7 +71,6 @@ volume:
capabilities:
drop: ["ALL"]
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
@@ -96,9 +85,8 @@ filer:
podSecurityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
# On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
# controller assign them automatically based on the namespace's SCC.
runAsNonRoot: true
containerSecurityContext:
@@ -107,7 +95,6 @@ filer:
capabilities:
drop: ["ALL"]
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
@@ -115,9 +102,8 @@ filer:
s3:
podSecurityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
# On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
# controller assign them automatically based on the namespace's SCC.
runAsNonRoot: true
containerSecurityContext:
@@ -126,6 +112,5 @@ s3:
capabilities:
drop: ["ALL"]
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault