133 lines
3.7 KiB
YAML
133 lines
3.7 KiB
YAML
# openshift-values.yaml
|
|
#
|
|
# Example overrides for deploying SeaweedFS on OpenShift (or any cluster
|
|
# enforcing the Kubernetes "restricted" Pod Security Standard).
|
|
#
|
|
# OpenShift's default "restricted" SCC blocks containers that:
|
|
# - Run as UID 0 (root)
|
|
# - Request privilege escalation
|
|
# - Use hostPath volumes
|
|
# - Omit a seccompProfile
|
|
#
|
|
# These overrides satisfy all four requirements by:
|
|
# 1. Replacing hostPath volumes with PersistentVolumeClaims (or emptyDir for logs)
|
|
# 2. Enabling runAsNonRoot: true. By omitting runAsUser, OpenShift will
|
|
# automatically assign a valid UID from the namespace's allocated range.
|
|
# 3. Dropping all Linux capabilities and setting allowPrivilegeEscalation: false
|
|
# 4. Enabling RuntimeDefault seccompProfile
|
|
#
|
|
# Usage:
|
|
# helm install seaweedfs seaweedfs/seaweedfs \
|
|
# -n seaweedfs --create-namespace \
|
|
# -f openshift-values.yaml
|
|
#
|
|
# Adjust storageClass and sizes to match your cluster's available StorageClasses.
|
|
# On OpenShift you can discover them with: oc get storageclass
|
|
global:
|
|
enableReplication: true
|
|
# replication type is XYZ:
|
|
# X number of replica in other data centers
|
|
# Y number of replica in other racks in the same data center
|
|
# Z number of replica in other servers in the same rack
|
|
replicationPlacement: "000" # no data replica
|
|
master:
|
|
replicas: 1
|
|
data:
|
|
type: "persistentVolumeClaim"
|
|
size: "10Gi"
|
|
storageClass: "" # leave empty to use the cluster default StorageClass
|
|
|
|
logs:
|
|
type: "emptyDir" # avoids hostPath; use persistentVolumeClaim if you need log persistence
|
|
|
|
podSecurityContext:
|
|
enabled: true
|
|
# On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
|
|
# controller assign them automatically based on the namespace's SCC.
|
|
runAsNonRoot: true
|
|
|
|
containerSecurityContext:
|
|
enabled: true
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: ["ALL"]
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
volume:
|
|
replicas: 1
|
|
dataDirs:
|
|
- name: data1
|
|
type: "persistentVolumeClaim"
|
|
size: "100Gi"
|
|
storageClass: "" # leave empty to use the cluster default StorageClass
|
|
maxVolumes: 0
|
|
|
|
logs:
|
|
type: "emptyDir"
|
|
|
|
podSecurityContext:
|
|
enabled: true
|
|
# On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
|
|
# controller assign them automatically based on the namespace's SCC.
|
|
runAsNonRoot: true
|
|
|
|
containerSecurityContext:
|
|
enabled: true
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: ["ALL"]
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
filer:
|
|
replicas: 1
|
|
data:
|
|
type: "persistentVolumeClaim"
|
|
size: "25Gi"
|
|
storageClass: "" # leave empty to use the cluster default StorageClass
|
|
|
|
logs:
|
|
type: "emptyDir"
|
|
|
|
podSecurityContext:
|
|
enabled: true
|
|
# On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
|
|
# controller assign them automatically based on the namespace's SCC.
|
|
runAsNonRoot: true
|
|
|
|
containerSecurityContext:
|
|
enabled: true
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: ["ALL"]
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
# S3 gateway (if enabled)
|
|
s3:
|
|
enabled: true
|
|
replicas: 1
|
|
port: 8333
|
|
enableAuth: true
|
|
podSecurityContext:
|
|
enabled: true
|
|
# On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
|
|
# controller assign them automatically based on the namespace's SCC.
|
|
runAsNonRoot: true
|
|
|
|
logs:
|
|
type: "emptyDir"
|
|
|
|
containerSecurityContext:
|
|
enabled: true
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: ["ALL"]
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|