fix(helm): don't pin runAsUser/runAsGroup in grafana-mcp and querydoc chart defaults#2134
Open
SarthakB11 wants to merge 1 commit into
Open
fix(helm): don't pin runAsUser/runAsGroup in grafana-mcp and querydoc chart defaults#2134SarthakB11 wants to merge 1 commit into
SarthakB11 wants to merge 1 commit into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adjusts Helm subchart defaults to be OpenShift-compatible by avoiding hardcoded container UIDs/GIDs that conflict with restricted SCC UID ranges.
Changes:
- Removed default
securityContext.runAsUser/runAsGroupfromgrafana-mcpvalues. - Removed default
securityContext.runAsUser/runAsGroupfromquerydocvalues. - Added inline comments documenting why the UID/GID are unset by default and how to override.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| helm/tools/querydoc/values.yaml | Drops pinned UID/GID defaults to allow OpenShift SCC-assigned UIDs; keeps hardened securityContext settings. |
| helm/tools/grafana-mcp/values.yaml | Drops pinned UID/GID defaults to allow OpenShift SCC-assigned UIDs; keeps hardened securityContext settings. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+28
to
+33
| # runAsUser / runAsGroup are left unset so the chart installs on OpenShift, | ||
| # where the restricted-v2 SCC assigns a per-namespace UID range and rejects a | ||
| # pinned UID outside it. runAsNonRoot (in podSecurityContext) still keeps the | ||
| # container non-root. Set a fixed UID below on clusters that allow it: | ||
| # runAsUser: 14000 | ||
| # runAsGroup: 14000 |
Comment on lines
+28
to
+32
| # runAsUser / runAsGroup are left unset so the chart installs on OpenShift, | ||
| # where the restricted-v2 SCC assigns a per-namespace UID range and rejects a | ||
| # pinned UID outside it. runAsNonRoot (in podSecurityContext) still keeps the | ||
| # container non-root. Set a fixed UID below on clusters that allow it: | ||
| # runAsUser: 14000 |
Comment on lines
+34
to
+39
| # runAsUser / runAsGroup are left unset so the chart installs on OpenShift, | ||
| # where the restricted-v2 SCC assigns a per-namespace UID range and rejects a | ||
| # pinned UID outside it. runAsNonRoot (in podSecurityContext) still keeps the | ||
| # container non-root. Set a fixed UID below on clusters that allow it: | ||
| # runAsUser: 1000 | ||
| # runAsGroup: 999 |
Comment on lines
+34
to
+38
| # runAsUser / runAsGroup are left unset so the chart installs on OpenShift, | ||
| # where the restricted-v2 SCC assigns a per-namespace UID range and rejects a | ||
| # pinned UID outside it. runAsNonRoot (in podSecurityContext) still keeps the | ||
| # container non-root. Set a fixed UID below on clusters that allow it: | ||
| # runAsUser: 1000 |
70192f0 to
f1127b3
Compare
… chart defaults The grafana-mcp and querydoc subcharts hardcode securityContext.runAsUser (1000 and 14000) and runAsGroup (999 and 14000) in their default values.yaml. On OpenShift, each namespace is assigned a dynamic UID range and the restricted-v2 SCC rejects any pod whose runAsUser falls outside that range, so the chart is undeployable out of the box: the Deployments stay at 0/1 with a FailedCreate admission error until each component's UID is overridden by hand to an in-range value that is cluster- and namespace-specific. Remove the pinned UIDs from the defaults. Documented commented overrides remain for clusters that want to pin them. runAsNonRoot in podSecurityContext still enforces non-root, and the rest of the hardening (allowPrivilegeEscalation: false, capabilities.drop: [ALL], readOnlyRootFilesystem: true, seccompProfile: RuntimeDefault) is unchanged. Fixes kagent-dev#2079 Signed-off-by: SarthakB11 <sarthak.bhardwaj21b@iiitg.ac.in>
f1127b3 to
40d75b3
Compare
Contributor
Author
|
Thanks for the review. Force-pushed a fix. Two changes on top of the original commit:
Also rebased onto main (was BEHIND #2124 / #2125). CI should re-run on the amended commit. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix(helm): don't pin runAsUser/runAsGroup in grafana-mcp and querydoc chart defaults
What
Removes the hardcoded
securityContext.runAsUser/runAsGroupfrom the defaultvalues.yamlof thegrafana-mcpandquerydocsubcharts. The two UIDs stay in thefile as commented, documented overrides for clusters that want to pin them.
Fixes #2079.
Why
On OpenShift, each namespace is assigned a dynamic UID range and the
restricted-v2SCCrejects any pod whose
runAsUserfalls outside that range. Because these subcharts pin afixed UID in their defaults (
grafana-mcp1000/999,querydoc14000/14000), the chart isundeployable out of the box: the Deployments stay at
0/1with aFailedCreateadmissionerror until each component's UID is overridden by hand to an in-range value that is
cluster- and namespace-specific.
With the UID unset:
USER, andrunAsNonRoot: true(kept in
podSecurityContext) still enforces non-root.The rest of the hardening is unchanged:
allowPrivilegeEscalation: false,capabilities.drop: [ALL],readOnlyRootFilesystem: true, and theseccompProfile: RuntimeDefault.Fix
helm/tools/grafana-mcp/values.yamlandhelm/tools/querydoc/values.yaml:Scope
This matches the two subcharts called out in the issue. Two related cases are left out on
purpose:
oauth2-proxyis a vendored dependency whosepodSecurityContextdefault comes from theupstream chart, so it is best handled by an override through the umbrella values rather
than edited here.
postgresql.podSecurityContextinhelm/kagent/values.yaml)also sets
fsGroup, which the same SCC restricts; unsetting it touches the data-dirpermissions of a dev/eval database, so it deserves its own change. Happy to follow up on
either if you'd like them in scope.
Notes
This assumes the
mcp/grafanaanddoc2vec/mcpimages declare a non-rootUSER. If amaintainer would rather keep a numeric default and document the OpenShift override instead,
that is a one-line swap and I can adjust.
How to verify
Rendered
securityContextin both charts dropsrunAsUser/runAsGroup, keepsallowPrivilegeEscalation: false,capabilities.drop: [ALL],readOnlyRootFilesystem: true, andseccompProfile: RuntimeDefault.podSecurityContext.runAsNonRoot: trueremains in both.querydoc's{{- with .Values.securityContext }}guard still renders the block because the map stays non-empty;grafana-mcprenders it unconditionally.Checklist
runAsNonRoot: trueretained in both charts