diff --git a/.changes/unreleased/charts-redpanda-Fixed-20251103-205145.yaml b/.changes/unreleased/charts-redpanda-Fixed-20251103-205145.yaml new file mode 100644 index 000000000..0d5e1b654 --- /dev/null +++ b/.changes/unreleased/charts-redpanda-Fixed-20251103-205145.yaml @@ -0,0 +1,5 @@ +project: charts/redpanda +kind: Fixed +body: | + Fix `CreateContainerConfigError: Error: container's runAsUser breaks non-root policy...` error with `statefulset.podTemplate.spec.securityContext.runAsNonRoot: true` +time: 2025-11-03T20:51:45.198677+02:00 diff --git a/charts/redpanda/statefulset.go b/charts/redpanda/statefulset.go index 98c7ea6c0..8efb399a6 100644 --- a/charts/redpanda/statefulset.go +++ b/charts/redpanda/statefulset.go @@ -395,9 +395,10 @@ func statefulSetInitContainerTuning(dot *helmette.Dot) *corev1.Container { Capabilities: &corev1.Capabilities{ Add: []corev1.Capability{`SYS_RESOURCE`}, }, - Privileged: ptr.To(true), - RunAsUser: ptr.To(int64(0)), - RunAsGroup: ptr.To(int64(0)), + Privileged: ptr.To(true), + RunAsNonRoot: ptr.To(false), + RunAsUser: ptr.To(int64(0)), + RunAsGroup: ptr.To(int64(0)), }, VolumeMounts: append(append(CommonMounts(dot), templateToVolumeMounts(dot, values.Statefulset.InitContainers.Tuning.ExtraVolumeMounts)...), diff --git a/charts/redpanda/templates/_statefulset.go.tpl b/charts/redpanda/templates/_statefulset.go.tpl index d19725a57..ef1812c3f 100644 --- a/charts/redpanda/templates/_statefulset.go.tpl +++ b/charts/redpanda/templates/_statefulset.go.tpl @@ -221,7 +221,7 @@ {{- break -}} {{- end -}} {{- $_is_returning = true -}} -{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict)) (dict "name" "tuning" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot)))) "r")) "command" (list `/bin/bash` `-c` `rpk redpanda tune all`) "securityContext" (mustMergeOverwrite (dict) (dict "capabilities" (mustMergeOverwrite (dict) (dict "add" (list `SYS_RESOURCE`))) "privileged" true "runAsUser" ((0 | int64) | int64) "runAsGroup" ((0 | int64) | int64))) "volumeMounts" (concat (default (list) (concat (default (list) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot)))) "r")) (default (list) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.tuning.extraVolumeMounts)))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" "base-config" "mountPath" "/etc/redpanda")))) "resources" $values.statefulset.initContainers.tuning.resources))) | toJson -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict)) (dict "name" "tuning" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot)))) "r")) "command" (list `/bin/bash` `-c` `rpk redpanda tune all`) "securityContext" (mustMergeOverwrite (dict) (dict "capabilities" (mustMergeOverwrite (dict) (dict "add" (list `SYS_RESOURCE`))) "privileged" true "runAsNonRoot" false "runAsUser" ((0 | int64) | int64) "runAsGroup" ((0 | int64) | int64))) "volumeMounts" (concat (default (list) (concat (default (list) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot)))) "r")) (default (list) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.tuning.extraVolumeMounts)))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" "base-config" "mountPath" "/etc/redpanda")))) "resources" $values.statefulset.initContainers.tuning.resources))) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -236,9 +236,9 @@ {{- (dict "r" (coalesce nil)) | toJson -}} {{- break -}} {{- end -}} -{{- $_426_uid_gid := (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-datadir-ownership")))) "r") -}} -{{- $uid := ((index $_426_uid_gid 0) | int64) -}} -{{- $gid := ((index $_426_uid_gid 1) | int64) -}} +{{- $_427_uid_gid := (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-datadir-ownership")))) "r") -}} +{{- $uid := ((index $_427_uid_gid 0) | int64) -}} +{{- $gid := ((index $_427_uid_gid 1) | int64) -}} {{- $_is_returning = true -}} {{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict)) (dict "name" "set-datadir-ownership" "image" (printf "%s:%s" $values.statefulset.initContainerImage.repository $values.statefulset.initContainerImage.tag) "command" (list `/bin/sh` `-c` (printf `chown %d:%d -R /var/lib/redpanda/data` $uid $gid)) "volumeMounts" (concat (default (list) (concat (default (list) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot)))) "r")) (default (list) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.setDataDirOwnership.extraVolumeMounts)))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" `datadir` "mountPath" `/var/lib/redpanda/data`)))) "resources" $values.statefulset.initContainers.setDataDirOwnership.resources))) | toJson -}} {{- break -}} @@ -297,9 +297,9 @@ {{- (dict "r" (coalesce nil)) | toJson -}} {{- break -}} {{- end -}} -{{- $_508_uid_gid := (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-tiered-storage-cache-dir-ownership")))) "r") -}} -{{- $uid := ((index $_508_uid_gid 0) | int64) -}} -{{- $gid := ((index $_508_uid_gid 1) | int64) -}} +{{- $_509_uid_gid := (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-tiered-storage-cache-dir-ownership")))) "r") -}} +{{- $uid := ((index $_509_uid_gid 0) | int64) -}} +{{- $gid := ((index $_509_uid_gid 1) | int64) -}} {{- $cacheDir := (get (fromJson (include "redpanda.Storage.TieredCacheDirectory" (dict "a" (list $values.storage $dot)))) "r") -}} {{- $mounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot)))) "r") -}} {{- $mounts = (concat (default (list) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" "datadir" "mountPath" "/var/lib/redpanda/data")))) -}} diff --git a/charts/redpanda/testdata/template-cases.golden.txtar b/charts/redpanda/testdata/template-cases.golden.txtar index 71c1dab13..f0d51aea1 100644 --- a/charts/redpanda/testdata/template-cases.golden.txtar +++ b/charts/redpanda/testdata/template-cases.golden.txtar @@ -1003,6 +1003,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -2375,6 +2376,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/redpanda @@ -3597,6 +3599,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -5037,6 +5040,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -6373,6 +6377,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -7939,6 +7944,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -9524,6 +9530,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -11005,6 +11012,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -12546,6 +12554,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -14112,6 +14121,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -15684,6 +15694,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -17201,6 +17212,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -18687,6 +18699,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -19991,6 +20004,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/redpanda @@ -21279,6 +21293,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -22793,6 +22808,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -24278,6 +24294,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -25760,6 +25777,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -27301,6 +27319,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -28855,6 +28874,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -30409,6 +30429,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -31909,6 +31930,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -33464,6 +33486,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -35037,6 +35060,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -36610,6 +36634,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -38130,6 +38155,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -39703,6 +39729,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -41276,6 +41303,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -42849,6 +42877,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -44369,6 +44398,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -45885,6 +45915,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -47368,6 +47399,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -48850,6 +48882,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -50423,6 +50456,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -51923,6 +51957,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -53408,6 +53443,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -54945,6 +54981,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -56684,6 +56721,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -58166,6 +58204,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -59659,6 +59698,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -61182,6 +61222,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -62698,6 +62739,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -64210,6 +64252,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -65503,6 +65546,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -67113,6 +67157,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -68602,6 +68647,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -70176,6 +70222,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -71665,6 +71712,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -73394,6 +73442,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -74927,6 +74976,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -76410,6 +76460,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -77893,6 +77944,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -82224,6 +82276,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -83791,6 +83844,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -85332,6 +85386,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -86869,6 +86924,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -88402,6 +88458,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -89899,6 +89956,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -91436,6 +91494,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -92969,6 +93028,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -94454,6 +94514,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -95991,6 +96052,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -97524,6 +97586,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -99009,6 +99072,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -100546,6 +100610,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -102079,6 +102144,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -103564,6 +103630,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -105101,6 +105168,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -106634,6 +106702,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -108119,6 +108188,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -109656,6 +109726,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -111189,6 +111260,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -112674,6 +112746,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -113962,6 +114035,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/for-external @@ -117460,6 +117534,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -119191,6 +119266,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -124529,6 +124605,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -126094,6 +126171,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -127744,6 +127822,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -129332,6 +129411,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -130948,6 +131028,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -132487,6 +132568,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -134120,6 +134202,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -135602,6 +135685,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -137084,6 +137168,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -138582,6 +138667,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -140429,6 +140515,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -142119,6 +142206,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -143656,6 +143744,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -145189,6 +145278,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -146674,6 +146764,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -148211,6 +148302,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -149744,6 +149836,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -151246,6 +151339,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -152890,6 +152984,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -154186,6 +154281,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default diff --git a/charts/redpanda/testdata/template-cases.txtar b/charts/redpanda/testdata/template-cases.txtar index 2335aa613..f546a2f3c 100644 --- a/charts/redpanda/testdata/template-cases.txtar +++ b/charts/redpanda/testdata/template-cases.txtar @@ -240,6 +240,7 @@ auth: # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.spec.containers[0].securityContext.privileged}", false] # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.spec.containers[0].securityContext.runAsGroup}", 6767] # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.spec.containers[0].securityContext.runAsUser}", 5656] +# ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.spec.initContainers[0].securityContext.runAsNonRoot}", false] # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.metadata.labels.label}", "rp-sts"] # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.metadata.annotations.anno}", "rp-sts"] # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.spec.containers[0].env[?(@.name==\"HELLO\")].value}", "WORLD"]