search

jenkinsci / helm-charts

Jenkins helm charts
https://artifacthub.io/packages/helm/jenkinsci/jenkins
Apache License 2.0
562 stars 889 forks source link

unknown field "capabilities" in io.k8s.api.core.v1.PodSecurityContext #736

Open alifiroozi80 opened 1 year ago

alifiroozi80 commented 1 year ago

Describe the bug

I have a customs value file:

controller:
  imagePullPolicy: "IfNotPresent"
  securityContextCapabilities:
    add: ["IPC_LOCK"]
  containerSecurityContext:
    readOnlyRootFilesystem: false
    allowPrivilegeEscalation: true
  customInitContainers:
  - name: increase-fd-ulimit
    image: busybox
    command: ["sh", "-c", "ulimit -n 65536"]
    securityContext:
      privileged: true

and after I apply the chart, I get an error:

helm install jenkins jenkins/jenkins -n jenkins -f jenkins-values.yaml
Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: error validating "": error validating data: ValidationError(StatefulSet.spec.template.spec.securityContext): unknown field "capabilities" in io.k8s.api.core.v1.PodSecurityContext

I think it should be under the jenkins container, not as the same level as containers:. as the documentation said:

To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest.

Version of Helm and Kubernetes

- Helm: v3.9.2
- Kubernetes: v1.23.4

Chart version

4.2.9

What happened?

1.
2.
3.
...

What you expected to happen?

No response

How to reproduce it

No response

Anything else we need to know?

No response

leoqa commented 1 year ago

I receive a similar error when using Chart v. 4.3.9 and modifying https://github.com/jenkinsci/helm-charts/blob/jenkins-4.3.9/charts/jenkins/values.yaml#L108-L110 to:

securityContextCapabilities:  
    drop:
      - ALL
leoqa commented 1 year ago

Documenting here in case anyone runs into this.

I got past this issue noted in my comment above by adding the following to:

capabilities:
          drop:
            - ALL

Full example at line 122:

containerSecurityContext:
    runAsUser: 1000
    runAsGroup: 1000
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    capabilities:
          drop:
            - ALL

Full example at line 392:

containerSecurityContext:
        readOnlyRootFilesystem: true
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - ALL