add chown and chmod to hostPath

Author: prasebha

CHANGELOG.md

@@ -1,10 +1,5 @@
 # Change Log
 
-## 2024-08-23
-### Changed
-- Management Agent docker image has been updated to version 1.5.0
-- Extra environment (extraEnv) added to Management Agent. 
-
 ## 2024-07-08
 ### Added
 - Option to disable JRE default security property for Agent.

charts/mgmt-agent/templates/metric_server.yaml

@@ -138,15 +138,15 @@ spec:
       containers:
       - args:
         - --cert-dir=/tmp
-        - --secure-port=4443
+        - --secure-port=10250
         - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
         - --kubelet-use-node-status-port
         - --metric-resolution=15s
-        image: registry.k8s.io/metrics-server/metrics-server:v0.6.3
+        image: registry.k8s.io/metrics-server/metrics-server:v0.7.2
         imagePullPolicy: IfNotPresent
         name: metrics-server
         ports:
-        - containerPort: 4443
+        - containerPort: 10250
           name: https
           protocol: TCP
         resources:
@@ -155,9 +155,14 @@ spec:
             memory: 200Mi
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
         - mountPath: /tmp
           name: tmp-dir

charts/mgmt-agent/templates/mgmt-agent-daemonset.yaml

@@ -69,6 +69,18 @@ spec:
           securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
+      {{- if .Values.deployment.daemonSet.overrideOwnership }}
+      initContainers:
+        - name: change-ownership-container
+          image: container-registry.oracle.com/os/oraclelinux:8-slim
+          command: ["/bin/sh", "-c", "chmod 750 /opt/oracle && chown -R {{ .Values.deployment.security.runAsUser }}:{{ .Values.deployment.security.runAsGroup }} /opt/oracle"]
+          securityContext:
+            runAsUser: 0
+            privileged: true
+          volumeMounts:
+          - name: mgmtagent-hostpath
+            mountPath: /opt/oracle
+      {{- end }}
       volumes:
         - name: mgmtagent-secret
           secret:
@@ -84,7 +96,7 @@ spec:
             name: {{ include "mgmt-agent.resourceNamePrefix" . }}-agent
         - name: mgmtagent-hostpath
           hostPath: 
-            path: {{ required "deployment.daemonSet.hostPath is required" .Values.deployment.daemonSet.hostPath }}
+            path: "{{ required "deployment.daemonSet.hostPath is required" .Values.deployment.daemonSet.hostPath }}/daemonset-mgmtagent-container"
         - emptyDir: {}
           name: tmp
 {{- end }}

charts/mgmt-agent/values.yaml

@@ -84,8 +84,14 @@ deployment:
    daemonSetDeployment: false
 
    daemonSet:
-      # Provide the host path if Agent is deployed as DaemonSet. Management Agent Pod should have read-write access to it.
-      hostPath:
+      # Provide the host path (defaults to /opt/oracle, please change if required) if Agent is deployed as DaemonSet. Management Agent Pod should have read-write access to it.
+      # The host path needs to be owned by runAsUser and runAsGroup, provided under security context above.
+      # Note: The deployment will create a sub directory i.e. daemonset-mgmtagent-container under the the provided hostPath.
+      hostPath: /opt/oracle
+      # Override the ownership and permissions on the hostPath, to be owned by the runAsUser and runAsGroup provided under security context above and the permission as 750. 
+      # Note: This requires oraclelinux:8-slim image
+      # Setting overrideOwnership to false will disable the ownership change.
+      overrideOwnership: true
 
    # Provide the agent resources as per Kubernetes resource quantity
    resource:

charts/oci-onm/Chart.yaml

@@ -18,7 +18,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.4.5
+version: 3.4.4
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to