search

bjw-s / helm-charts

A collection of Helm charts
https://bjw-s.github.io/helm-charts/
Apache License 2.0
535 stars 100 forks source link

securityContext capabilities is not supported by schema #236

Closed evanrich closed 6 months ago

evanrich commented 7 months ago 
Failed to compare desired state to live state: failed to calculate diff: error calculating structured merge diff: error building typed value from config resource: .spec.template.spec.securityContext.capabilities: field not declared in schema

I get the above message when trying to do the following with the 2.3.0 version of the chart:

defaultPodOptions:
  securityContext:
    capabilities:
      drop:
        - all
      add: ['NET_BIND_SERVICE']

it seems that defaultPodOptions.securityContext is supported, but not capabilities. When I look at the common chart, it just shows

  # -- Configure the Security Context for the Pod
  securityContext: {}

and no example. Is this not supported?

evanrich commented 7 months ago

I should add that this error is coming from argoCD

bjw-s commented 7 months ago

securityContext gets passed through as-defined, there is no distinction made between the subkeys. So if the other securityContext fields work, capabilities should work as well.

However, capabilities is not something that is defined on the Pod level, but rather on the container level. Therefore you won't be able to set that through the defaultPodOptions: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container