search

jp-gouin / helm-openldap

Helm chart of Openldap in High availability with multi-master replication and PhpLdapAdmin and Ltb-Passwd
Apache License 2.0
198 stars 118 forks source link

enable containersecuritycontext and resources limit for initcontainers #130

Closed louisgls closed 10 months ago

louisgls commented 11 months ago

I would like to be able to set the containerSecurityPolicy and the resources for the init-tls-secret initContainer.

At the moment, because of policies configured in our cluster, I can't deploy the chart. I've found a quickfix that consists in adding the missing parameters with kustomize but it would be awesome that we could have resources and containerSecurityContext configurable for initContainers, just as they are for the openldap container.

An other solution could be to make init-tls-secret optional so it can be removed or updated like this :

initContainers:
  - name: init-tls-secret
    image: alpine/openssl:latest
    imagePullPolicy: Always
    command:
      - sh
      - -c
      - |
        cp -Lr /tmp-certs/* /certs
    volumeMounts:
      - name: certs
        mountPath: "/certs"
      - name: secret-certs
        mountPath: "/tmp-certs"
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      runAsNonRoot: true
      runAsUser: 1001
      seccompProfile:
        type: RuntimeDefault
    resources:
      limits:
        cpu: 50m
        memory: 64Mi
opencmit2 commented 11 months ago

Hi @louisgls
The parameters in this part can be customized. So I think it might be a usage issue 1697506492605

louisgls commented 11 months ago

Hi @opencmit2, thank you for your answer.

My problem is that I can't start any container that does not have containerSecurityContext which is the case of init-tls-secret and update-reclation.

would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "init-tls-secret", "update-replication" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "init-tls-secret", "update-replication" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "init-tls-secret", "update-replication" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "init-tls-secret", "update-replication" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") I also need to configure resources for each containers. create Pod openldap-0 in StatefulSet openldap failed error: pods "openldap-0" is forbidden: failed quota: default-ktkk5: must specify limits.cpu for: init-tls-secret,update-replication; limits.memory for: init-tls-secret,update-replication

The fact that containerSecurityContext and resources are not configurable prevent the statefulset from being started at all.

opencmit2 commented 11 months ago

Hi @louisgls
I have added the required content based on your needs, please download the latest content to try it out. and close this issue

louisgls commented 11 months ago

Hi @opencmit2 , thank you very much for your work, I'll test it this week.

louisgls commented 10 months ago

Hi @opencmit2 , this is perfect, thank you very much.