From 45bfbb7db7b9d2250ca0b4dc0f7e57a5812a414c Mon Sep 17 00:00:00 2001 From: Robert Fairburn <8029478+rfairburn@users.noreply.github.com> Date: Wed, 2 Apr 2025 10:17:52 -0500 Subject: [PATCH] Allow container UID/GID to be specified in helm values.yaml (#27778) --- charts/fleet/Chart.yaml | 2 +- charts/fleet/templates/cron-vulnprocessing.yaml | 8 ++++---- charts/fleet/templates/deployment.yaml | 8 ++++---- charts/fleet/templates/job-migration.yaml | 8 ++++---- charts/fleet/values.yaml | 5 ++++- 5 files changed, 17 insertions(+), 14 deletions(-) diff --git a/charts/fleet/Chart.yaml b/charts/fleet/Chart.yaml index abe7570839..58df15c653 100644 --- a/charts/fleet/Chart.yaml +++ b/charts/fleet/Chart.yaml @@ -4,7 +4,7 @@ name: fleet keywords: - fleet - osquery -version: v6.4.4 +version: v6.5.0 home: https://github.com/fleetdm/fleet sources: - https://github.com/fleetdm/fleet.git diff --git a/charts/fleet/templates/cron-vulnprocessing.yaml b/charts/fleet/templates/cron-vulnprocessing.yaml index 3957282235..6685a464b6 100644 --- a/charts/fleet/templates/cron-vulnprocessing.yaml +++ b/charts/fleet/templates/cron-vulnprocessing.yaml @@ -168,8 +168,8 @@ spec: {{- end }} privileged: false readOnlyRootFilesystem: true - runAsGroup: 3333 - runAsUser: 3333 + runAsGroup: {{ int64 .Values.fleet.securityContext.runAsGroup }} + runAsUser: {{ int64 .Values.fleet.securityContext.runAsUser }} runAsNonRoot: true volumeMounts: - name: tmp @@ -199,8 +199,8 @@ spec: drop: [ALL] privileged: false readOnlyRootFilesystem: true - runAsGroup: 3333 - runAsUser: 3333 + runAsGroup: {{ int64 .Values.fleet.securityContext.runAsGroup }} + runAsUser: {{ int64 .Values.fleet.securityContext.runAsUser }} runAsNonRoot: true {{- end }} serviceAccountName: fleet diff --git a/charts/fleet/templates/deployment.yaml b/charts/fleet/templates/deployment.yaml index 0ec7b9c39e..53863f838d 100644 --- a/charts/fleet/templates/deployment.yaml +++ b/charts/fleet/templates/deployment.yaml @@ -304,8 +304,8 @@ spec: drop: [ALL] privileged: false readOnlyRootFilesystem: true - runAsGroup: 3333 - runAsUser: 3333 + runAsGroup: {{ int64 .Values.fleet.securityContext.runAsGroup }} + runAsUser: {{ int64 .Values.fleet.securityContext.runAsUser }} runAsNonRoot: true livenessProbe: httpGet: @@ -363,8 +363,8 @@ spec: drop: [ALL] privileged: false readOnlyRootFilesystem: true - runAsGroup: 3333 - runAsUser: 3333 + runAsGroup: {{ int64 .Values.fleet.securityContext.runAsGroup }} + runAsUser: {{ int64 .Values.fleet.securityContext.runAsUser }} runAsNonRoot: true {{- end }} hostPID: false diff --git a/charts/fleet/templates/job-migration.yaml b/charts/fleet/templates/job-migration.yaml index 96737d07e7..aaf4218291 100644 --- a/charts/fleet/templates/job-migration.yaml +++ b/charts/fleet/templates/job-migration.yaml @@ -131,8 +131,8 @@ spec: {{- end }} privileged: false readOnlyRootFilesystem: true - runAsGroup: 3333 - runAsUser: 3333 + runAsGroup: {{ int64 .Values.fleet.securityContext.runAsGroup }} + runAsUser: {{ int64 .Values.fleet.securityContext.runAsUser }} runAsNonRoot: true volumeMounts: {{- if .Values.database.tls.enabled }} @@ -160,8 +160,8 @@ spec: drop: [ALL] privileged: false readOnlyRootFilesystem: true - runAsGroup: 3333 - runAsUser: 3333 + runAsGroup: {{ int64 .Values.fleet.securityContext.runAsGroup }} + runAsUser: {{ int64 .Values.fleet.securityContext.runAsUser }} runAsNonRoot: true {{- end }} serviceAccountName: fleet diff --git a/charts/fleet/values.yaml b/charts/fleet/values.yaml index 5135805110..bf4370bbab 100644 --- a/charts/fleet/values.yaml +++ b/charts/fleet/values.yaml @@ -103,7 +103,10 @@ fleet: licenseKey: license-key extraVolumes: [] extraVolumeMounts: [] - + # Currently only passes runAsUser and runAsGroup + securityContext: + runAsUser: 3333 + runAsGroup: 3333 # Whether to make fleet vulnerability processing run in a dedicated container # if you set dedicated=false, you need to increase the main resources section # to 4Gi or the fleet container will be OOMKilled when vulnerability processing