2a1ae896e4
* helm: refine openshift-values.yaml to remove hardcoded UIDs Remove hardcoded runAsUser, runAsGroup, and fsGroup from the openshift-values.yaml example. This allows OpenShift's admission controller to automatically assign a valid UID from the namespace's allocated range, avoiding "forbidden" errors when UID 1000 is outside the permissible range. Updates #8381, #8390. * helm: fix volume.logs and add consistent security context comments * Update README.md
117 lines
3.3 KiB
YAML
117 lines
3.3 KiB
YAML
# openshift-values.yaml
|
|
#
|
|
# Example overrides for deploying SeaweedFS on OpenShift (or any cluster
|
|
# enforcing the Kubernetes "restricted" Pod Security Standard).
|
|
#
|
|
# OpenShift's default "restricted" SCC blocks containers that:
|
|
# - Run as UID 0 (root)
|
|
# - Request privilege escalation
|
|
# - Use hostPath volumes
|
|
# - Omit a seccompProfile
|
|
#
|
|
# These overrides satisfy all four requirements by:
|
|
# 1. Replacing hostPath volumes with PersistentVolumeClaims (or emptyDir for logs)
|
|
# 2. Enabling runAsNonRoot: true. By omitting runAsUser, OpenShift will
|
|
# automatically assign a valid UID from the namespace's allocated range.
|
|
# 3. Dropping all Linux capabilities and setting allowPrivilegeEscalation: false
|
|
# 4. Enabling RuntimeDefault seccompProfile
|
|
#
|
|
# Usage:
|
|
# helm install seaweedfs seaweedfs/seaweedfs \
|
|
# -n seaweedfs --create-namespace \
|
|
# -f openshift-values.yaml
|
|
#
|
|
# Adjust storageClass and sizes to match your cluster's available StorageClasses.
|
|
# On OpenShift you can discover them with: oc get storageclass
|
|
|
|
master:
|
|
data:
|
|
type: "persistentVolumeClaim"
|
|
size: "10Gi"
|
|
storageClass: "" # leave empty to use the cluster default StorageClass
|
|
|
|
logs:
|
|
type: "emptyDir" # avoids hostPath; use persistentVolumeClaim if you need log persistence
|
|
|
|
podSecurityContext:
|
|
enabled: true
|
|
# On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
|
|
# controller assign them automatically based on the namespace's SCC.
|
|
runAsNonRoot: true
|
|
|
|
containerSecurityContext:
|
|
enabled: true
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: ["ALL"]
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
volume:
|
|
dataDirs:
|
|
- name: data1
|
|
type: "persistentVolumeClaim"
|
|
size: "100Gi"
|
|
storageClass: "" # leave empty to use the cluster default StorageClass
|
|
maxVolumes: 0
|
|
|
|
logs:
|
|
type: "emptyDir"
|
|
|
|
podSecurityContext:
|
|
enabled: true
|
|
# On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
|
|
# controller assign them automatically based on the namespace's SCC.
|
|
runAsNonRoot: true
|
|
|
|
containerSecurityContext:
|
|
enabled: true
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: ["ALL"]
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
filer:
|
|
data:
|
|
type: "persistentVolumeClaim"
|
|
size: "25Gi"
|
|
storageClass: "" # leave empty to use the cluster default StorageClass
|
|
|
|
logs:
|
|
type: "emptyDir"
|
|
|
|
podSecurityContext:
|
|
enabled: true
|
|
# On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
|
|
# controller assign them automatically based on the namespace's SCC.
|
|
runAsNonRoot: true
|
|
|
|
containerSecurityContext:
|
|
enabled: true
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: ["ALL"]
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
# S3 gateway (if enabled)
|
|
s3:
|
|
podSecurityContext:
|
|
enabled: true
|
|
# On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
|
|
# controller assign them automatically based on the namespace's SCC.
|
|
runAsNonRoot: true
|
|
|
|
containerSecurityContext:
|
|
enabled: true
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: ["ALL"]
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|