Skip to content

fix(helm): don't pin runAsUser/runAsGroup in grafana-mcp and querydoc chart defaults#2134

Open
SarthakB11 wants to merge 1 commit into
kagent-dev:mainfrom
SarthakB11:fix/issue-2079
Open

fix(helm): don't pin runAsUser/runAsGroup in grafana-mcp and querydoc chart defaults#2134
SarthakB11 wants to merge 1 commit into
kagent-dev:mainfrom
SarthakB11:fix/issue-2079

Conversation

@SarthakB11

Copy link
Copy Markdown
Contributor

fix(helm): don't pin runAsUser/runAsGroup in grafana-mcp and querydoc chart defaults

What

Removes the hardcoded securityContext.runAsUser / runAsGroup from the default
values.yaml of the grafana-mcp and querydoc subcharts. The two UIDs stay in the
file as commented, documented overrides for clusters that want to pin them.

Fixes #2079.

Why

On OpenShift, each namespace is assigned a dynamic UID range and the restricted-v2 SCC
rejects any pod whose runAsUser falls outside that range. Because these subcharts pin a
fixed UID in their defaults (grafana-mcp 1000/999, querydoc 14000/14000), the chart is
undeployable out of the box: the Deployments stay at 0/1 with a FailedCreate admission
error until each component's UID is overridden by hand to an in-range value that is
cluster- and namespace-specific.

With the UID unset:

  • On OpenShift the SCC injects a valid in-range UID automatically.
  • On vanilla Kubernetes the container runs as the image's USER, and runAsNonRoot: true
    (kept in podSecurityContext) still enforces non-root.

The rest of the hardening is unchanged: allowPrivilegeEscalation: false,
capabilities.drop: [ALL], readOnlyRootFilesystem: true, and the
seccompProfile: RuntimeDefault.

Fix

helm/tools/grafana-mcp/values.yaml and helm/tools/querydoc/values.yaml:

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true
  # runAsUser / runAsGroup are left unset so the chart installs on OpenShift,
  # where the restricted-v2 SCC assigns a per-namespace UID range and rejects a
  # pinned UID outside it. runAsNonRoot (in podSecurityContext) still keeps the
  # container non-root. Set a fixed UID below on clusters that allow it:
  # runAsUser: 1000
  # runAsGroup: 999

Scope

This matches the two subcharts called out in the issue. Two related cases are left out on
purpose:

  • oauth2-proxy is a vendored dependency whose podSecurityContext default comes from the
    upstream chart, so it is best handled by an override through the umbrella values rather
    than edited here.
  • The bundled demo PostgreSQL (postgresql.podSecurityContext in helm/kagent/values.yaml)
    also sets fsGroup, which the same SCC restricts; unsetting it touches the data-dir
    permissions of a dev/eval database, so it deserves its own change. Happy to follow up on
    either if you'd like them in scope.

Notes

This assumes the mcp/grafana and doc2vec/mcp images declare a non-root USER. If a
maintainer would rather keep a numeric default and document the OpenShift override instead,
that is a one-line swap and I can adjust.

How to verify

helm template ./helm/tools/grafana-mcp | grep -A2 securityContext
helm template ./helm/tools/querydoc     | grep -A2 securityContext

Rendered securityContext in both charts drops runAsUser/runAsGroup, keeps allowPrivilegeEscalation: false, capabilities.drop: [ALL], readOnlyRootFilesystem: true, and seccompProfile: RuntimeDefault. podSecurityContext.runAsNonRoot: true remains in both. querydoc's {{- with .Values.securityContext }} guard still renders the block because the map stays non-empty; grafana-mcp renders it unconditionally.

Checklist

Copilot AI review requested due to automatic review settings July 1, 2026 21:27
@github-actions github-actions Bot added the bug Something isn't working label Jul 1, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adjusts Helm subchart defaults to be OpenShift-compatible by avoiding hardcoded container UIDs/GIDs that conflict with restricted SCC UID ranges.

Changes:

  • Removed default securityContext.runAsUser / runAsGroup from grafana-mcp values.
  • Removed default securityContext.runAsUser / runAsGroup from querydoc values.
  • Added inline comments documenting why the UID/GID are unset by default and how to override.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
helm/tools/querydoc/values.yaml Drops pinned UID/GID defaults to allow OpenShift SCC-assigned UIDs; keeps hardened securityContext settings.
helm/tools/grafana-mcp/values.yaml Drops pinned UID/GID defaults to allow OpenShift SCC-assigned UIDs; keeps hardened securityContext settings.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +28 to +33
# runAsUser / runAsGroup are left unset so the chart installs on OpenShift,
# where the restricted-v2 SCC assigns a per-namespace UID range and rejects a
# pinned UID outside it. runAsNonRoot (in podSecurityContext) still keeps the
# container non-root. Set a fixed UID below on clusters that allow it:
# runAsUser: 14000
# runAsGroup: 14000
Comment on lines +28 to +32
# runAsUser / runAsGroup are left unset so the chart installs on OpenShift,
# where the restricted-v2 SCC assigns a per-namespace UID range and rejects a
# pinned UID outside it. runAsNonRoot (in podSecurityContext) still keeps the
# container non-root. Set a fixed UID below on clusters that allow it:
# runAsUser: 14000
Comment on lines +34 to +39
# runAsUser / runAsGroup are left unset so the chart installs on OpenShift,
# where the restricted-v2 SCC assigns a per-namespace UID range and rejects a
# pinned UID outside it. runAsNonRoot (in podSecurityContext) still keeps the
# container non-root. Set a fixed UID below on clusters that allow it:
# runAsUser: 1000
# runAsGroup: 999
Comment on lines +34 to +38
# runAsUser / runAsGroup are left unset so the chart installs on OpenShift,
# where the restricted-v2 SCC assigns a per-namespace UID range and rejects a
# pinned UID outside it. runAsNonRoot (in podSecurityContext) still keeps the
# container non-root. Set a fixed UID below on clusters that allow it:
# runAsUser: 1000
… chart defaults

The grafana-mcp and querydoc subcharts hardcode securityContext.runAsUser
(1000 and 14000) and runAsGroup (999 and 14000) in their default
values.yaml. On OpenShift, each namespace is assigned a dynamic UID
range and the restricted-v2 SCC rejects any pod whose runAsUser falls
outside that range, so the chart is undeployable out of the box: the
Deployments stay at 0/1 with a FailedCreate admission error until each
component's UID is overridden by hand to an in-range value that is
cluster- and namespace-specific.

Remove the pinned UIDs from the defaults. Documented commented
overrides remain for clusters that want to pin them. runAsNonRoot in
podSecurityContext still enforces non-root, and the rest of the
hardening (allowPrivilegeEscalation: false, capabilities.drop: [ALL],
readOnlyRootFilesystem: true, seccompProfile: RuntimeDefault) is
unchanged.

Fixes kagent-dev#2079

Signed-off-by: SarthakB11 <sarthak.bhardwaj21b@iiitg.ac.in>
@SarthakB11

Copy link
Copy Markdown
Contributor Author

Thanks for the review. Force-pushed a fix. Two changes on top of the original commit:

  • helm-unittest updates in helm/tools/querydoc/tests/deployment_test.yaml and helm/tools/grafana-mcp/tests/deployment_test.yaml: the default-container securityContext test now asserts runAsUser and runAsGroup are unset via isNull, matching the new default. The override test in both files still sets runAsUser and asserts it renders, so the override path stays covered.
  • Values comment reworded: runAsNonRoot enforces non-root rather than "keeping" it non-root; with runAsUser unset the container runs as the image's USER, so mcp/grafana and doc2vec/mcp must ship a non-root USER for the pod to start on non-OpenShift clusters. That constraint is now spelled out.

Also rebased onto main (was BEHIND #2124 / #2125). CI should re-run on the amended commit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Bundled subcharts hardcode securityContext.runAsUser/runAsGroup → not deployable on OpenShift (restricted-v2 dynamic UID range)

2 participants