From fe8c853f13f1c18e0580888555b966cba6f81cd6 Mon Sep 17 00:00:00 2001 From: Rafal Korepta Date: Tue, 4 Nov 2025 15:28:40 +0100 Subject: [PATCH] chart/redpanda: Set securityContext.runAsNonRoot to false for tuning container (cherry picked from commit f187f32f01c67eca53ee455400c80824c57057d4) --- ...charts-redpanda-Fixed-20251103-205145.yaml | 5 ++ charts/redpanda/statefulset.go | 7 +- charts/redpanda/templates/_statefulset.go.tpl | 26 +++--- .../testdata/template-cases.golden.txtar | 88 +++++++++++++++++++ charts/redpanda/testdata/template-cases.txtar | 1 + 5 files changed, 111 insertions(+), 16 deletions(-) create mode 100644 .changes/unreleased/charts-redpanda-Fixed-20251103-205145.yaml diff --git a/.changes/unreleased/charts-redpanda-Fixed-20251103-205145.yaml b/.changes/unreleased/charts-redpanda-Fixed-20251103-205145.yaml new file mode 100644 index 000000000..0d5e1b654 --- /dev/null +++ b/.changes/unreleased/charts-redpanda-Fixed-20251103-205145.yaml @@ -0,0 +1,5 @@ +project: charts/redpanda +kind: Fixed +body: | + Fix `CreateContainerConfigError: Error: container's runAsUser breaks non-root policy...` error with `statefulset.podTemplate.spec.securityContext.runAsNonRoot: true` +time: 2025-11-03T20:51:45.198677+02:00 diff --git a/charts/redpanda/statefulset.go b/charts/redpanda/statefulset.go index 141c4b4bd..5021bff8d 100644 --- a/charts/redpanda/statefulset.go +++ b/charts/redpanda/statefulset.go @@ -374,9 +374,10 @@ func statefulSetInitContainerTuning(dot *helmette.Dot) *corev1.Container { Capabilities: &corev1.Capabilities{ Add: []corev1.Capability{`SYS_RESOURCE`}, }, - Privileged: ptr.To(true), - RunAsUser: ptr.To(int64(0)), - RunAsGroup: ptr.To(int64(0)), + Privileged: ptr.To(true), + RunAsNonRoot: ptr.To(false), + RunAsUser: ptr.To(int64(0)), + RunAsGroup: ptr.To(int64(0)), }, VolumeMounts: append( CommonMounts(dot), diff --git a/charts/redpanda/templates/_statefulset.go.tpl b/charts/redpanda/templates/_statefulset.go.tpl index 129ea4d86..ac21dd25f 100644 --- a/charts/redpanda/templates/_statefulset.go.tpl +++ b/charts/redpanda/templates/_statefulset.go.tpl @@ -200,7 +200,7 @@ {{- break -}} {{- end -}} {{- $_is_returning = true -}} -{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict)) (dict "name" "tuning" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot)))) "r")) "command" (list `/bin/bash` `-c` `rpk redpanda tune all`) "securityContext" (mustMergeOverwrite (dict) (dict "capabilities" (mustMergeOverwrite (dict) (dict "add" (list `SYS_RESOURCE`))) "privileged" true "runAsUser" ((0 | int64) | int64) "runAsGroup" ((0 | int64) | int64))) "volumeMounts" (concat (default (list) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot)))) "r")) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" "base-config" "mountPath" "/etc/redpanda"))))))) | toJson -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict)) (dict "name" "tuning" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot)))) "r")) "command" (list `/bin/bash` `-c` `rpk redpanda tune all`) "securityContext" (mustMergeOverwrite (dict) (dict "capabilities" (mustMergeOverwrite (dict) (dict "add" (list `SYS_RESOURCE`))) "privileged" true "runAsNonRoot" false "runAsUser" ((0 | int64) | int64) "runAsGroup" ((0 | int64) | int64))) "volumeMounts" (concat (default (list) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot)))) "r")) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" "base-config" "mountPath" "/etc/redpanda"))))))) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -215,9 +215,9 @@ {{- (dict "r" (coalesce nil)) | toJson -}} {{- break -}} {{- end -}} -{{- $_404_uid_gid := (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-datadir-ownership")))) "r") -}} -{{- $uid := ((index $_404_uid_gid 0) | int64) -}} -{{- $gid := ((index $_404_uid_gid 1) | int64) -}} +{{- $_405_uid_gid := (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-datadir-ownership")))) "r") -}} +{{- $uid := ((index $_405_uid_gid 0) | int64) -}} +{{- $gid := ((index $_405_uid_gid 1) | int64) -}} {{- $_is_returning = true -}} {{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict)) (dict "name" "set-datadir-ownership" "image" (printf "%s:%s" $values.statefulset.initContainerImage.repository $values.statefulset.initContainerImage.tag) "command" (list `/bin/sh` `-c` (printf `chown %d:%d -R /var/lib/redpanda/data` $uid $gid)) "securityContext" (mustMergeOverwrite (dict) (dict "runAsUser" (0 | int64) "runAsGroup" (0 | int64))) "volumeMounts" (concat (default (list) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot)))) "r")) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" `datadir` "mountPath" `/var/lib/redpanda/data`))))))) | toJson -}} {{- break -}} @@ -230,12 +230,12 @@ {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} {{- $values := $dot.Values.AsMap -}} -{{- $_432_gid_uid := (get (fromJson (include "redpanda.giduidFromPodTemplate" (dict "a" (list $values.podTemplate "redpanda")))) "r") -}} -{{- $gid := (index $_432_gid_uid 0) -}} -{{- $uid := (index $_432_gid_uid 1) -}} -{{- $_433_sgid_suid := (get (fromJson (include "redpanda.giduidFromPodTemplate" (dict "a" (list $values.statefulset.podTemplate "redpanda")))) "r") -}} -{{- $sgid := (index $_433_sgid_suid 0) -}} -{{- $suid := (index $_433_sgid_suid 1) -}} +{{- $_433_gid_uid := (get (fromJson (include "redpanda.giduidFromPodTemplate" (dict "a" (list $values.podTemplate "redpanda")))) "r") -}} +{{- $gid := (index $_433_gid_uid 0) -}} +{{- $uid := (index $_433_gid_uid 1) -}} +{{- $_434_sgid_suid := (get (fromJson (include "redpanda.giduidFromPodTemplate" (dict "a" (list $values.statefulset.podTemplate "redpanda")))) "r") -}} +{{- $sgid := (index $_434_sgid_suid 0) -}} +{{- $suid := (index $_434_sgid_suid 1) -}} {{- if (ne (toJson $sgid) "null") -}} {{- $gid = $sgid -}} {{- end -}} @@ -312,9 +312,9 @@ {{- (dict "r" (coalesce nil)) | toJson -}} {{- break -}} {{- end -}} -{{- $_516_uid_gid := (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-tiered-storage-cache-dir-ownership")))) "r") -}} -{{- $uid := ((index $_516_uid_gid 0) | int64) -}} -{{- $gid := ((index $_516_uid_gid 1) | int64) -}} +{{- $_517_uid_gid := (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-tiered-storage-cache-dir-ownership")))) "r") -}} +{{- $uid := ((index $_517_uid_gid 0) | int64) -}} +{{- $gid := ((index $_517_uid_gid 1) | int64) -}} {{- $cacheDir := (get (fromJson (include "redpanda.Storage.TieredCacheDirectory" (dict "a" (list $values.storage $dot)))) "r") -}} {{- $mounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot)))) "r") -}} {{- $mounts = (concat (default (list) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" "datadir" "mountPath" "/var/lib/redpanda/data")))) -}} diff --git a/charts/redpanda/testdata/template-cases.golden.txtar b/charts/redpanda/testdata/template-cases.golden.txtar index e43c0408a..572014106 100644 --- a/charts/redpanda/testdata/template-cases.golden.txtar +++ b/charts/redpanda/testdata/template-cases.golden.txtar @@ -999,6 +999,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -2362,6 +2363,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/redpanda @@ -3575,6 +3577,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -5006,6 +5009,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -6333,6 +6337,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -7890,6 +7895,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -9466,6 +9472,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -10939,6 +10946,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -14003,6 +14011,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -15566,6 +15575,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -17074,6 +17084,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -18551,6 +18562,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -19846,6 +19858,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/redpanda @@ -21125,6 +21138,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -22630,6 +22644,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -24106,6 +24121,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -25579,6 +25595,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -27106,6 +27123,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -28649,6 +28667,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -30192,6 +30211,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -31686,6 +31706,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -33230,6 +33251,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -34792,6 +34814,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -36354,6 +36377,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -37868,6 +37892,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -39430,6 +39455,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -40992,6 +41018,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -42554,6 +42581,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -44068,6 +44096,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -45578,6 +45607,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -47052,6 +47082,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -48525,6 +48556,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -50089,6 +50121,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -51577,6 +51610,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -54767,6 +54801,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -57734,6 +57769,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -59217,6 +59253,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -60730,6 +60767,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -63720,6 +63758,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -65002,6 +65041,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -66603,6 +66643,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -68078,6 +68119,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -69638,6 +69680,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -71118,6 +71161,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -72624,6 +72668,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -77052,6 +77097,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -81611,6 +81657,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -83169,6 +83216,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -84701,6 +84749,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -86224,6 +86273,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -87748,6 +87798,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -89236,6 +89287,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -90759,6 +90811,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -92283,6 +92336,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -93759,6 +93813,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -95282,6 +95337,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -96806,6 +96862,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -98282,6 +98339,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -99805,6 +99863,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -101329,6 +101388,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -102805,6 +102865,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -104328,6 +104389,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -105852,6 +105914,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -107328,6 +107391,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -108851,6 +108915,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -110375,6 +110440,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -111851,6 +111917,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -113130,6 +113197,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/for-external @@ -122844,6 +122912,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -124420,6 +124489,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -126057,6 +126127,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -127636,6 +127707,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -129243,6 +129315,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -130773,6 +130846,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -132397,6 +132471,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -133870,6 +133945,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -135343,6 +135419,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -136832,6 +136909,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -138434,6 +138512,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -139967,6 +140046,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -141490,6 +141570,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -143014,6 +143095,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -144490,6 +144572,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -146013,6 +146096,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -147537,6 +147621,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -149020,6 +149105,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -150655,6 +150741,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -151942,6 +152029,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default diff --git a/charts/redpanda/testdata/template-cases.txtar b/charts/redpanda/testdata/template-cases.txtar index b04983c70..c9698c347 100644 --- a/charts/redpanda/testdata/template-cases.txtar +++ b/charts/redpanda/testdata/template-cases.txtar @@ -216,6 +216,7 @@ auth: # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.spec.containers[0].securityContext.privileged}", false] # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.spec.containers[0].securityContext.runAsGroup}", 6767] # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.spec.containers[0].securityContext.runAsUser}", 5656] +# ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.spec.initContainers[0].securityContext.runAsNonRoot}", false] # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.metadata.labels.label}", "rp-sts"] # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.metadata.annotations.anno}", "rp-sts"] # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.spec.containers[0].env[?(@.name==\"HELLO\")].value}", "WORLD"]