bitnami / charts

Bitnami Helm Charts
https://bitnami.com
Other
8.99k stars 9.21k forks source link

[bitnami/common] Add a possibility to omit empty seLinuxOptions property from non-OpenShift environments #28934

Closed minijus closed 1 month ago

minijus commented 2 months ago

Name and Version

bitnami/common 2.21.0

What is the problem this feature will solve?

Today many (all?) Bitnami Helm charts set empty object for seLinuxOptions within containerSecurityPolicy, e.g. https://github.com/bitnami/charts/blob/main/bitnami/mongodb/values.yaml#L585

Empty seLinuxOptions property is only removed in OpenShift compatibility mode https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_compatibility.tpl#L28-L35

There are scenarios where OpenShift compatibility mode is not desired, but seLinuxOptions should be removed. Running on Azure Kubernetes Service (AKS) and using built-in Azure Policy definition: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/SELinux.json at the same time having to set one of "fsGroup" "runAsUser" "runAsGroup" properties with security context.

With scenario mentioned above built-in Azure Policy definition for SELinux fails with the message: "SELinux options is not allowed".

image

What is the feature you are proposing to solve the problem?

Similarly to global.compatibility.openshift.adaptSecurityContext add global.compatibility.omitEmptySeLinuxOptions value and use this value in common.compatibility.renderSecurityContext helper to conditionally omit seLinuxOptions when it is empty/falsy.

Default value for global.compatibility.omitEmptySeLinuxOptions should be false making the change non-breaking.

What alternatives have you considered?

Alternatives to overcome mentioned issue are only local "workarounds":

javsalgar commented 2 months ago

Hi!

Thank you so much for the draft! The team will take a look

github-actions[bot] commented 1 month ago

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

minijus commented 1 month ago

@javsalgar would you be able to have a look at the PR that addresses this issue?