From 7063dd8fe42e216f86477ea12bf4f0381ce50832 Mon Sep 17 00:00:00 2001 From: SarthakB11 Date: Sun, 5 Jul 2026 14:35:14 +0000 Subject: [PATCH] fix(helm): don't pin runAsUser/runAsGroup in grafana-mcp and querydoc chart defaults The grafana-mcp and querydoc subcharts hardcode securityContext.runAsUser (1000 and 14000) and runAsGroup (999 and 14000) in their default values.yaml. On OpenShift, each namespace is assigned a dynamic UID range and the restricted-v2 SCC rejects any pod whose runAsUser falls outside that range, so the chart is undeployable out of the box: the Deployments stay at 0/1 with a FailedCreate admission error until each component's UID is overridden by hand to an in-range value that is cluster- and namespace-specific. Remove the pinned UIDs from the defaults. Documented commented overrides remain for clusters that want to pin them. runAsNonRoot in podSecurityContext still enforces non-root, and the rest of the hardening (allowPrivilegeEscalation: false, capabilities.drop: [ALL], readOnlyRootFilesystem: true, seccompProfile: RuntimeDefault) is unchanged. Fixes #2079 Signed-off-by: SarthakB11 --- helm/tools/grafana-mcp/tests/deployment_test.yaml | 6 ++---- helm/tools/grafana-mcp/values.yaml | 10 ++++++++-- helm/tools/querydoc/tests/deployment_test.yaml | 6 ++---- helm/tools/querydoc/values.yaml | 10 ++++++++-- 4 files changed, 20 insertions(+), 12 deletions(-) diff --git a/helm/tools/grafana-mcp/tests/deployment_test.yaml b/helm/tools/grafana-mcp/tests/deployment_test.yaml index d1ed1c4add..bcb4683132 100644 --- a/helm/tools/grafana-mcp/tests/deployment_test.yaml +++ b/helm/tools/grafana-mcp/tests/deployment_test.yaml @@ -64,12 +64,10 @@ tests: - equal: path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem value: true - - equal: + - isNull: path: spec.template.spec.containers[0].securityContext.runAsUser - value: 1000 - - equal: + - isNull: path: spec.template.spec.containers[0].securityContext.runAsGroup - value: 999 - isNull: path: spec.template.spec.containers[0].securityContext.seccompProfile diff --git a/helm/tools/grafana-mcp/values.yaml b/helm/tools/grafana-mcp/values.yaml index 01f0f1f50a..d73dfe1a7b 100644 --- a/helm/tools/grafana-mcp/values.yaml +++ b/helm/tools/grafana-mcp/values.yaml @@ -31,8 +31,14 @@ securityContext: drop: - ALL readOnlyRootFilesystem: true - runAsUser: 1000 - runAsGroup: 999 + # runAsUser / runAsGroup are left unset so the chart installs on OpenShift, + # where the restricted-v2 SCC assigns a per-namespace UID range and rejects a + # pinned UID outside it. runAsNonRoot (in podSecurityContext) enforces + # non-root: with runAsUser unset the container runs as the image's USER, so + # the mcp/grafana image must ship a non-root USER or the pod will fail to + # start. Set a fixed UID below on clusters that allow it: + # runAsUser: 1000 + # runAsGroup: 999 tolerations: [] diff --git a/helm/tools/querydoc/tests/deployment_test.yaml b/helm/tools/querydoc/tests/deployment_test.yaml index 2fb47c58a1..5f77fe64b6 100644 --- a/helm/tools/querydoc/tests/deployment_test.yaml +++ b/helm/tools/querydoc/tests/deployment_test.yaml @@ -112,12 +112,10 @@ tests: - equal: path: spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem value: true - - equal: + - isNull: path: spec.template.spec.containers[0].securityContext.runAsUser - value: 14000 - - equal: + - isNull: path: spec.template.spec.containers[0].securityContext.runAsGroup - value: 14000 - isNull: path: spec.template.spec.containers[0].securityContext.seccompProfile diff --git a/helm/tools/querydoc/values.yaml b/helm/tools/querydoc/values.yaml index 13185e9740..ca9a6e4e79 100644 --- a/helm/tools/querydoc/values.yaml +++ b/helm/tools/querydoc/values.yaml @@ -25,8 +25,14 @@ securityContext: drop: - ALL readOnlyRootFilesystem: true - runAsUser: 14000 - runAsGroup: 14000 + # runAsUser / runAsGroup are left unset so the chart installs on OpenShift, + # where the restricted-v2 SCC assigns a per-namespace UID range and rejects a + # pinned UID outside it. runAsNonRoot (in podSecurityContext) enforces + # non-root: with runAsUser unset the container runs as the image's USER, so + # the mcp/querydoc image must ship a non-root USER or the pod will fail to + # start. Set a fixed UID below on clusters that allow it: + # runAsUser: 14000 + # runAsGroup: 14000 tolerations: []