Allow container UID/GID to be specified in helm values.yaml (#27778)

2026-05-23 00:49:03 +00:00 · 2025-04-02 10:17:52 -05:00 · 2025-04-02 10:17:52 -05:00 · 45bfbb7db7
commit 45bfbb7db7
parent 90e500ff1b
5 changed files with 17 additions and 14 deletions
--- a/charts/fleet/Chart.yaml
+++ b/charts/fleet/Chart.yaml
@ -4,7 +4,7 @@ name: fleet
 keywords:
  - fleet
  - osquery
-version: v6.4.4
+version: v6.5.0
 home: https://github.com/fleetdm/fleet
 sources:
  - https://github.com/fleetdm/fleet.git
--- a/charts/fleet/templates/cron-vulnprocessing.yaml
+++ b/charts/fleet/templates/cron-vulnprocessing.yaml
@ -168,8 +168,8 @@ spec:
                {{- end }}
              privileged: false
              readOnlyRootFilesystem: true
-              runAsGroup: 3333
-              runAsUser: 3333
+              runAsGroup: {{ int64 .Values.fleet.securityContext.runAsGroup }}
+              runAsUser: {{ int64 .Values.fleet.securityContext.runAsUser }}
              runAsNonRoot: true
            volumeMounts:
              - name: tmp
@ -199,8 +199,8 @@ spec:
                drop: [ALL]
              privileged: false
              readOnlyRootFilesystem: true
-              runAsGroup: 3333
-              runAsUser: 3333
+              runAsGroup: {{ int64 .Values.fleet.securityContext.runAsGroup }}
+              runAsUser: {{ int64 .Values.fleet.securityContext.runAsUser }}
              runAsNonRoot: true
          {{- end }}
          serviceAccountName: fleet
--- a/charts/fleet/templates/deployment.yaml
+++ b/charts/fleet/templates/deployment.yaml
@ -304,8 +304,8 @@ spec:
            drop: [ALL]
          privileged: false
          readOnlyRootFilesystem: true
-          runAsGroup: 3333
-          runAsUser: 3333
+          runAsGroup: {{ int64 .Values.fleet.securityContext.runAsGroup }}
+          runAsUser: {{ int64 .Values.fleet.securityContext.runAsUser }}
          runAsNonRoot: true
        livenessProbe:
          httpGet:
@ -363,8 +363,8 @@ spec:
            drop: [ALL]
          privileged: false
          readOnlyRootFilesystem: true
-          runAsGroup: 3333
-          runAsUser: 3333
+          runAsGroup: {{ int64 .Values.fleet.securityContext.runAsGroup }}
+          runAsUser: {{ int64 .Values.fleet.securityContext.runAsUser }}
          runAsNonRoot: true
      {{- end }}
      hostPID: false
--- a/charts/fleet/templates/job-migration.yaml
+++ b/charts/fleet/templates/job-migration.yaml
@ -131,8 +131,8 @@ spec:
            {{- end }}
          privileged: false
          readOnlyRootFilesystem: true
-          runAsGroup: 3333
-          runAsUser: 3333
+          runAsGroup: {{ int64 .Values.fleet.securityContext.runAsGroup }}
+          runAsUser: {{ int64 .Values.fleet.securityContext.runAsUser }}
          runAsNonRoot: true
        volumeMounts:
          {{- if .Values.database.tls.enabled }}
@ -160,8 +160,8 @@ spec:
            drop: [ALL]
          privileged: false
          readOnlyRootFilesystem: true
-          runAsGroup: 3333
-          runAsUser: 3333
+          runAsGroup: {{ int64 .Values.fleet.securityContext.runAsGroup }}
+          runAsUser: {{ int64 .Values.fleet.securityContext.runAsUser }}
          runAsNonRoot: true
      {{- end }}
      serviceAccountName: fleet
--- a/charts/fleet/values.yaml
+++ b/charts/fleet/values.yaml
@ -103,7 +103,10 @@ fleet:
    licenseKey: license-key
  extraVolumes: []
  extraVolumeMounts: []
-
+  # Currently only passes runAsUser and runAsGroup
+  securityContext:
+    runAsUser: 3333
+    runAsGroup: 3333
 # Whether to make fleet vulnerability processing run in a dedicated container
 # if you set dedicated=false, you need to increase the main resources section
 # to 4Gi or the fleet container will be OOMKilled when vulnerability processing