charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon bitnami

[bitnami/common] Add a possibility to omit empty seLinuxOptions property from non-OpenShift environments

Open minijus opened this issue 1 year ago • 1 comments

Name and Version

bitnami/common 2.21.0

What is the problem this feature will solve?

Today many (all?) Bitnami Helm charts set empty object for seLinuxOptions within containerSecurityPolicy, e.g. https://github.com/bitnami/charts/blob/main/bitnami/mongodb/values.yaml#L585

Empty seLinuxOptions property is only removed in OpenShift compatibility mode https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_compatibility.tpl#L28-L35

There are scenarios where OpenShift compatibility mode is not desired, but seLinuxOptions should be removed. Running on Azure Kubernetes Service (AKS) and using built-in Azure Policy definition: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/SELinux.json at the same time having to set one of "fsGroup" "runAsUser" "runAsGroup" properties with security context.

With scenario mentioned above built-in Azure Policy definition for SELinux fails with the message: "SELinux options is not allowed".

image

What is the feature you are proposing to solve the problem?

Similarly to global.compatibility.openshift.adaptSecurityContext add global.compatibility.omitEmptySeLinuxOptions value and use this value in common.compatibility.renderSecurityContext helper to conditionally omit seLinuxOptions when it is empty/falsy.

Default value for global.compatibility.omitEmptySeLinuxOptions should be false making the change non-breaking.

What alternatives have you considered?

Alternatives to overcome mentioned issue are only local "workarounds":

  • Wrapping Helm chart with kustomize to remove unwanted options
  • Modifying built-in Azure Policy definition
  • Manually removing seLinuxOptions in runtime

minijus avatar Aug 20 '24 12:08 minijus

Hi!

Thank you so much for the draft! The team will take a look

javsalgar avatar Aug 21 '24 08:08 javsalgar

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions[bot] avatar Sep 06 '24 01:09 github-actions[bot]

@javsalgar would you be able to have a look at the PR that addresses this issue?

minijus avatar Sep 06 '24 14:09 minijus