OpenShift Support

[BirknerAlex]

Describe the bug Running Authentik Helm Chart is not supported on OpenShift 4 clusters. Except when disabling UID restrictions, which is not recommended. By default OpenShift gives every k8s namespace a different range on allowed user ids that contains can use.

So the hardcoded user ID 1000 inside the Docker image causes issues when starting the container.

More details: https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#use-uid_create-images

But this could also make issues on different Kubernetes distros when using the restricted pod security standard: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

A workaround on OpenShift is also to "patch" the Docker image like this:

Using Dockerfile:

ARG VERSION=latest

FROM ghcr.io/goauthentik/server:${VERSION}

USER 0
COPY ./fix-permissions.sh /fix-permissions.sh
RUN bash /fix-permissions.sh
USER 1000

Using fix-permissions.sh:

#!/bin/bash

for i in website web tests media manage.py blueprints authentik geoip; do
  chgrp -R 0 /$i
  chmod -R g=u /$i
done

It would be awesome if OpenShift support would be added in future releases.

To Reproduce

This is also reproduceable when running the container on Docker directly by passing --user 2000 as example.

Expected behavior Docker image directly working on restricted kubernetes environments.

• authentik version: 2024.4.1
• Deployment: helm

[PratikMahajan]

as a workaround till this is addressed in authentik, you can add this to your values.yaml

global:
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000

server: 
  serviceAccountName: authentik-sa

worker: 
  serviceAccountName: authentik-sa

Create a service account authentik-sa and give that service account privileged access. you wont have to use a script to change permissions and patch the dockerfile.