Do not set securityContext on Openshift < 4.11 (#2678)

hashicorp · Jul 31, 2023 · 8e39475 · 8e39475
1 parent bb98d37
commit 8e39475
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 2 deletions.
diff --git a/.changelog/2678.txt b/.changelog/2678.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+helm: do not set container securityContexts by default on OpenShift < 4.11
+```
diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl
@@ -15,8 +15,23 @@ as well as the global.name setting.
 {{- end -}}
 {{- end -}}
 
+
 {{- define "consul.restrictedSecurityContext" -}}
 {{- if not .Values.global.enablePodSecurityPolicies -}}
+{{/*
+To be compatible with the 'restricted' Pod Security Standards profile, we
+should set this securityContext on containers whenever possible.
+
+In OpenShift < 4.11 the restricted SCC disallows setting most of these fields,
+so we do not set any for simplicity (and because that's how it was configured
+prior to adding restricted PSA support here). In OpenShift >= 4.11, the new
+restricted-v2 SCC allows setting these in the securityContext, and by setting
+them we avoid PSA warnings that are enabled by default.
+
+We use the K8s version as a proxy for the OpenShift version because there is a
+1:1 mapping of versions. OpenShift 4.11 corresponds to K8s 1.24.x.
+*/}}
+{{- if (or (not .Values.global.openshift.enabled) (and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "24"))) -}}
 securityContext:
   allowPrivilegeEscalation: false
   capabilities:
@@ -25,11 +40,12 @@ securityContext:
   runAsNonRoot: true
   seccompProfile:
     type: RuntimeDefault
+{{- end -}}
 {{- if not .Values.global.openshift.enabled -}}
 {{/*
 We must set runAsUser or else the root user will be used in some cases and
 containers will fail to start due to runAsNonRoot above (e.g.
-tls-init-cleanup). On OpenShift, runAsUser is automatically. We pick user 100
+tls-init-cleanup). On OpenShift, runAsUser is set automatically. We pick user 100
 because it is a non-root user id that exists in the consul, consul-dataplane,
 and consul-k8s-control-plane images.
 */}}

diff --git a/charts/consul/test/unit/server-statefulset.bats b/charts/consul/test/unit/server-statefulset.bats
@@ -846,9 +846,11 @@ load _helpers
 #--------------------------------------------------------------------
 # global.openshift.enabled
 
-@test "server/StatefulSet: restricted container securityContexts are set when global.openshift.enabled=true" {
+@test "server/StatefulSet: restricted container securityContexts are set when global.openshift.enabled=true on OpenShift >= 4.11" {
   cd `chart_dir`
+  # OpenShift 4.11 == Kube 1.24
   local manifest=$(helm template \
+      --kube-version '1.24' \
       -s templates/server-statefulset.yaml  \
       --set 'global.openshift.enabled=true' \
       . | tee /dev/stderr)
@@ -870,6 +872,20 @@ load _helpers
   [ "$equal" == "true" ]
 }
 
+@test "server/StatefulSet: restricted container securityContexts are not set when global.openshift.enabled=true on OpenShift < 4.11" {
+  cd `chart_dir`
+  # OpenShift 4.11 == Kube 1.24
+  local manifest=$(helm template \
+      --kube-version '1.23' \
+      -s templates/server-statefulset.yaml  \
+      --set 'global.openshift.enabled=true' \
+      . | tee /dev/stderr)
+
+  # Check consul container
+  local actual=$(echo "$manifest" | yq -r '.spec.template.spec.containers | map(select(.name == "consul")) | .[0].securityContext')
+  [ "$actual" == "null" ]
+}
+
 #--------------------------------------------------------------------
 # global.openshift.enabled = false