New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update securityContext configs to support Openshift cluster. #1658
Conversation
@linhlam-kc This looks good... Since we're removing the defaults from the |
@mbolt35 Thank you so much for helping to review. I have tested to add those defaults back to alertmanager:
enabled: false
persistentVolume:
enabled: true
# securityContext:
# runAsUser: 1001
# runAsNonRoot: true
# runAsGroup: 1001
# fsGroup: 1001
nodeExporter:
enabled: true
pushgateway:
enabled: false
persistentVolume:
enabled: true
# securityContext:
# runAsUser: 1001
# runAsNonRoot: true |
@mbolt35 @linhlam-kc what are suggested next steps on this one? do we want this as part of 1.97? |
serviceAccounts: | ||
nodeExporter: | ||
create: false | ||
kube-state-metrics: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bolt suggested doing both on the other PR:
kubeStateMetrics:
enabled: false
kube-state-metrics:
disabled: true
@@ -0,0 +1,36 @@ | |||
kubecostProductConfigs: | |||
clusterName: CLUSTER_NAME | |||
projectID: CLUSTER_NAME |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd remove projectID, it is specific to AWS.
@linhlam-kc We have to expect our users won't change anything, which will be a concern. I'm not sure why the overwrites aren't working. Just to be clear, I'm not worried for new installs, just upgrades which have those securityContexts already set, then the upgrade reverting them to null. We need to ensure that we don't break existing users upgrades If I run my helm command with So if you were to install with Does that make sense? Am I missing something? |
@dwbrown2 I'll keep an eye on this ticket - I assume this is something that we can get in the release as long as we can button up any of the remaining discrepancies. I just want to ensure that we won't break existing users attempting to helm upgrade by swapping out default values. |
@mbolt35 Sorry for the late reply here, thank you for clarifying about your concern. I agree that it could have un-expected side effect given that there is a change that customer does not allow 'null' securityContext. Regarding to the issue, it is related to this Helm client bug: helm/helm#5184 The issue is that if the default values (value file 1) are null, it could be overwritten successfully but it doesn't work if the default values (value file 1) arenot null that need to be replaced by null values. To understand the bug easier, please see the following examples below For example: Scenario 1:
securityContext:
fsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
helm template kubecost4 . \
--namespace kubecost4 \
--create-namespace \
-f ./values-thanos.yaml \
-f ./values-openshift.yaml
Scenario 2:
securityContext:
fsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
helm template kubecost4 . \
--namespace kubecost4 \
--create-namespace \
-f ./values-thanos.yaml \
-f ./values-openshift.yaml
|
@linhlam-kc Looking through this PR, and based on the helm bug description, it's still not adding up: you're changing all non-null values to null value defaults. If you're overwriting in the openshift values with a non-null security context, then why are you changing the existing defaults? From our discussions, you're not going to be setting openshift's security context to null, in which case, we would never run into Scenario 2, so we shouldn't have to change the existing defaults. |
@mbolt35 My previous comment here is actually only for clarifying the Helm client bug which describe why adding non-null_securityContext back in |
Ok, this is what I missed. Thanks for the explanation. Given that this is a helm issue we can't avoid, I need to think about a better way to do this, or look into a different approach. It doesn't give me much hope that helm hasn't addressed this either. |
This will be resolved shortly by introducing a |
What does this PR change?
This PR is to update cost-analyzer helmchart to support Openshift. These are required changes:
values-openshift.yaml
Does this PR rely on any other PRs?
N/A
How does this PR impact users? (This is the kind of thing that goes in release notes!)
Links to Issues or ZD tickets this PR addresses or fixes
N/A
How was this PR tested?
Have you made an update to documentation?
┆Issue is synchronized with this Jira Task by Unito