Open chrisseto opened 1 month ago
A large chunk of this has been fixed in https://github.com/redpanda-data/helm-charts/pull/1477 by deprecating these fields in favor of a the podTemplate
fields.
We'll need to add support for setting the security context(s) of init containers and side cars before full closing this out.
The
statefulset.podSecurityContext
andstatefulset.securityContext
fields have not work as one would expect for quite sometime. In the conversion to go, we preserved this behavior (and introduced other issues #1413).The broken semantics are (roughly):
podSecurityContext
andsecurityContext
are intermixed and partially applied (FSGroup
,FSChangePolicy
,RunAsUser
,RunAsGroup
,AllowPrivilegeEscalation
,RunAsNonRoot
) to allSecurityContext
s and somePodSecurityContext
s.This is clearly less than ideal as:
statefulset
are magically propagated everywhere.This has left us in a bit of a bind as the most ideal field names are taken.
I'm currently leaning towards:
securityContext
andpodSecurityContext
to the root values with no defaults.statefulset.template
pattern. e.g.post_install_job.template.securityContext
If any of these fields are provided,
statefulset.podSecurityContext
andstatefulset.securityContext
will be ignored. Then in a few releases, we'll remove these fields entirely.JIRA Link: K8S-309