Extend options for setting security context #1647
Conversation
dmitryax
force-pushed
the
add-container-security-context
branch
from
de73aef to
c7a1e20
Compare
| @@ -577,9 +577,36 @@ | |||
| } | |||
| } | |||
| }, | |||
| "podSecurityContext": { | |||
| "type": "object" | |||
| }, | |||
| "securityContext": { | |||
There was a problem hiding this comment.
This can also be deprecated in favor of containerSecurityContext but I think we can defer that until fluentd is removed
dmitryax
force-pushed
the
add-container-security-context
branch
2 times, most recently
from
5e3db36 to
74e35dd
Compare
dmitryax
force-pushed
the
add-container-security-context
branch
from
74e35dd to
dfadbbe
Compare
dmitryax
changed the title
| {{ end }} | ||
| {{- if not (eq (toString .Values.clusterReceiver.securityContext) "<nil>") }} | ||
| [WARNING] "clusterReceiver.securityContext" parameter is deprecated. Please use "clusterReceiver.podSecurityContext" instead. | ||
| {{ end }} |
There was a problem hiding this comment.
Nit: Can we throw a failure or print a warning if one of the following cases happens? I just want to avoid confusion about which of the two available values (securityContext vs podSecurityContext) will be used. Maybe just update the message to say podSecurityContext takes priority.
- Both clusterReceiver.securityContext and clusterReceiver.podSecurityContext are both used
- Both gateway.securityContext and gateway.podSecurityContext are both used
There was a problem hiding this comment.
I'm not sure I understand your suggestion. Please submit a suggesting diff
There was a problem hiding this comment.
Working on this. Need to state this PR relates to #1342
There was a problem hiding this comment.
We are missing updates in few places in this block. I think it should be updated to podSecurityContext instead. Actually, we might have to do some checking to see which of the 2 (pod or container) securityContext has runAsUser set. Both can have this field.
|
Another thing - do we know if the original ask also wants a way to set the context on initContainer? I know these only come into play when logs are enabled, but best to check if we need to include those. |
From my current understanding initContainers are used by the agent daemonset to update permissions for enabling collecting logs and all 3 agent modes to enable using persistent data exporter queues normally only used by Splunk Enterprise/Platform customers. Maybe we enable setting security context for initContainers and containers in a future PR for iterative growth. |
I've actually started with adding this to the init containers as well, but I'm afraid of unnecessarily bloating up the config interface, see the first version in 74e35dd. I think we can start without it at this point, see if it's needed for users, then add it. WDYT?
No, as far as I know. That's why I removed it eventually |
Add options to set container security contexts in clusterRecever and gateway deployments.
dmitryax
force-pushed
the
add-container-security-context
branch
from
dfadbbe to
12dcb22
Compare
| securityContext: | ||
| {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $gateway.securityContext) | nindent 8 }} | ||
| {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $podSecurityContext) | nindent 8 }} |
There was a problem hiding this comment.
| {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $podSecurityContext) | nindent 8 }} | |
| {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $gateway.podSecurityContext) | nindent 8 }} |
| securityContext: | ||
| {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $clusterReceiver.securityContext) | nindent 8 }} | ||
| {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $podSecurityContext) | nindent 8 }} |
There was a problem hiding this comment.
| {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $podSecurityContext) | nindent 8 }} | |
| {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "clusterReceiver.securityContext" $podSecurityContext) | nindent 8 }} |
| {{- if not (eq (toString .Values.clusterReceiver.securityContext) "<nil>") }} | ||
| [WARNING] "clusterReceiver.securityContext" parameter is deprecated. Please use "clusterReceiver.podSecurityContext" instead. | ||
| {{ end }} |
There was a problem hiding this comment.
| {{- if not (eq (toString .Values.clusterReceiver.securityContext) "<nil>") }} | |
| [WARNING] "clusterReceiver.securityContext" parameter is deprecated. Please use "clusterReceiver.podSecurityContext" instead. | |
| {{ end }} | |
| {{- if not (eq (toString .Values. clusterReceiver.securityContext) "<nil>") }} | |
| {{- if .Values. clusterReceiver.podSecurityContext }} | |
| [WARNING] "clusterReceiver.securityContext" parameter is deprecated. Helm release will use values set in "clusterReceiver.podSecurityContext" instead. | |
| {{- else }} | |
| [WARNING] "clusterReceiver.securityContext" parameter is deprecated. Please use "clusterReceiver.podSecurityContext" instead. | |
| {{- end }} | |
| {{ end }} |
@jvoravong is this what you are suggesting? How does the PR you referenced relate to this one? Tmk this is a different ask
Add option to set security contexts on: