From 82273896c7f468e8d98912f24e8d3e5f8e6bb44b Mon Sep 17 00:00:00 2001 From: Rafal Korepta Date: Tue, 4 Nov 2025 15:28:40 +0100 Subject: [PATCH] chart/redpanda: Set securityContext.runAsNonRoot to false for tuning container (cherry picked from commit f187f32f01c67eca53ee455400c80824c57057d4) --- ...charts-redpanda-Fixed-20251103-205145.yaml | 5 ++ .../chart/templates/_statefulset.go.tpl | 26 +++--- charts/redpanda/statefulset.go | 7 +- .../testdata/template-cases.golden.txtar | 88 +++++++++++++++++++ charts/redpanda/testdata/template-cases.txtar | 1 + .../testdata/cases.pools.golden.txtar | 5 ++ 6 files changed, 116 insertions(+), 16 deletions(-) create mode 100644 .changes/unreleased/charts-redpanda-Fixed-20251103-205145.yaml diff --git a/.changes/unreleased/charts-redpanda-Fixed-20251103-205145.yaml b/.changes/unreleased/charts-redpanda-Fixed-20251103-205145.yaml new file mode 100644 index 000000000..0d5e1b654 --- /dev/null +++ b/.changes/unreleased/charts-redpanda-Fixed-20251103-205145.yaml @@ -0,0 +1,5 @@ +project: charts/redpanda +kind: Fixed +body: | + Fix `CreateContainerConfigError: Error: container's runAsUser breaks non-root policy...` error with `statefulset.podTemplate.spec.securityContext.runAsNonRoot: true` +time: 2025-11-03T20:51:45.198677+02:00 diff --git a/charts/redpanda/chart/templates/_statefulset.go.tpl b/charts/redpanda/chart/templates/_statefulset.go.tpl index 2d4412549..6a8518816 100644 --- a/charts/redpanda/chart/templates/_statefulset.go.tpl +++ b/charts/redpanda/chart/templates/_statefulset.go.tpl @@ -200,7 +200,7 @@ {{- break -}} {{- end -}} {{- $_is_returning = true -}} -{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict)) (dict "name" "tuning" "image" (printf "%s:%s" $state.Values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $state)))) "r")) "command" (list `/bin/bash` `-c` `rpk redpanda tune all`) "securityContext" (mustMergeOverwrite (dict) (dict "capabilities" (mustMergeOverwrite (dict) (dict "add" (list `SYS_RESOURCE`))) "privileged" true "runAsUser" ((0 | int64) | int64) "runAsGroup" ((0 | int64) | int64))) "volumeMounts" (concat (default (list) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $state)))) "r")) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" "base-config" "mountPath" "/etc/redpanda"))))))) | toJson -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict)) (dict "name" "tuning" "image" (printf "%s:%s" $state.Values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $state)))) "r")) "command" (list `/bin/bash` `-c` `rpk redpanda tune all`) "securityContext" (mustMergeOverwrite (dict) (dict "capabilities" (mustMergeOverwrite (dict) (dict "add" (list `SYS_RESOURCE`))) "privileged" true "runAsNonRoot" false "runAsUser" ((0 | int64) | int64) "runAsGroup" ((0 | int64) | int64))) "volumeMounts" (concat (default (list) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $state)))) "r")) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" "base-config" "mountPath" "/etc/redpanda"))))))) | toJson -}} {{- break -}} {{- end -}} {{- end -}} @@ -215,9 +215,9 @@ {{- (dict "r" (coalesce nil)) | toJson -}} {{- break -}} {{- end -}} -{{- $_397_uid_gid := (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $state $pool "set-datadir-ownership")))) "r") -}} -{{- $uid := ((index $_397_uid_gid 0) | int64) -}} -{{- $gid := ((index $_397_uid_gid 1) | int64) -}} +{{- $_398_uid_gid := (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $state $pool "set-datadir-ownership")))) "r") -}} +{{- $uid := ((index $_398_uid_gid 0) | int64) -}} +{{- $gid := ((index $_398_uid_gid 1) | int64) -}} {{- $_is_returning = true -}} {{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict)) (dict "name" "set-datadir-ownership" "image" (printf "%s:%s" $pool.Statefulset.initContainerImage.repository $pool.Statefulset.initContainerImage.tag) "command" (list `/bin/sh` `-c` (printf `chown %d:%d -R /var/lib/redpanda/data` $uid $gid)) "securityContext" (mustMergeOverwrite (dict) (dict "runAsUser" (0 | int64) "runAsGroup" (0 | int64))) "volumeMounts" (concat (default (list) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $state)))) "r")) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" `datadir` "mountPath" `/var/lib/redpanda/data`))))))) | toJson -}} {{- break -}} @@ -230,12 +230,12 @@ {{- $containerName := (index .a 2) -}} {{- range $_ := (list 1) -}} {{- $_is_returning := false -}} -{{- $_423_gid_uid := (get (fromJson (include "redpanda.giduidFromPodTemplate" (dict "a" (list $state.Values.podTemplate "redpanda")))) "r") -}} -{{- $gid := (index $_423_gid_uid 0) -}} -{{- $uid := (index $_423_gid_uid 1) -}} -{{- $_424_sgid_suid := (get (fromJson (include "redpanda.giduidFromPodTemplate" (dict "a" (list $pool.Statefulset.podTemplate "redpanda")))) "r") -}} -{{- $sgid := (index $_424_sgid_suid 0) -}} -{{- $suid := (index $_424_sgid_suid 1) -}} +{{- $_424_gid_uid := (get (fromJson (include "redpanda.giduidFromPodTemplate" (dict "a" (list $state.Values.podTemplate "redpanda")))) "r") -}} +{{- $gid := (index $_424_gid_uid 0) -}} +{{- $uid := (index $_424_gid_uid 1) -}} +{{- $_425_sgid_suid := (get (fromJson (include "redpanda.giduidFromPodTemplate" (dict "a" (list $pool.Statefulset.podTemplate "redpanda")))) "r") -}} +{{- $sgid := (index $_425_sgid_suid 0) -}} +{{- $suid := (index $_425_sgid_suid 1) -}} {{- if (ne (toJson $sgid) "null") -}} {{- $gid = $sgid -}} {{- end -}} @@ -312,9 +312,9 @@ {{- (dict "r" (coalesce nil)) | toJson -}} {{- break -}} {{- end -}} -{{- $_503_uid_gid := (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $state $pool "set-tiered-storage-cache-dir-ownership")))) "r") -}} -{{- $uid := ((index $_503_uid_gid 0) | int64) -}} -{{- $gid := ((index $_503_uid_gid 1) | int64) -}} +{{- $_504_uid_gid := (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $state $pool "set-tiered-storage-cache-dir-ownership")))) "r") -}} +{{- $uid := ((index $_504_uid_gid 0) | int64) -}} +{{- $gid := ((index $_504_uid_gid 1) | int64) -}} {{- $cacheDir := (get (fromJson (include "redpanda.Storage.TieredCacheDirectory" (dict "a" (list $state.Values.storage $state)))) "r") -}} {{- $mounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $state)))) "r") -}} {{- $mounts = (concat (default (list) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "") (dict "name" "datadir" "mountPath" "/var/lib/redpanda/data")))) -}} diff --git a/charts/redpanda/statefulset.go b/charts/redpanda/statefulset.go index cbc524132..dcb3a7090 100644 --- a/charts/redpanda/statefulset.go +++ b/charts/redpanda/statefulset.go @@ -371,9 +371,10 @@ func statefulSetInitContainerTuning(state *RenderState) *corev1.Container { Capabilities: &corev1.Capabilities{ Add: []corev1.Capability{`SYS_RESOURCE`}, }, - Privileged: ptr.To(true), - RunAsUser: ptr.To(int64(0)), - RunAsGroup: ptr.To(int64(0)), + Privileged: ptr.To(true), + RunAsNonRoot: ptr.To(false), + RunAsUser: ptr.To(int64(0)), + RunAsGroup: ptr.To(int64(0)), }, VolumeMounts: append( CommonMounts(state), diff --git a/charts/redpanda/testdata/template-cases.golden.txtar b/charts/redpanda/testdata/template-cases.golden.txtar index 2ae915a25..1e189fc2e 100644 --- a/charts/redpanda/testdata/template-cases.golden.txtar +++ b/charts/redpanda/testdata/template-cases.golden.txtar @@ -989,6 +989,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -2306,6 +2307,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/redpanda @@ -3486,6 +3488,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -4873,6 +4876,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -6169,6 +6173,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -7692,6 +7697,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -9229,6 +9235,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -10669,6 +10676,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -13700,6 +13708,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -15232,6 +15241,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -16707,6 +16717,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -18149,6 +18160,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -19398,6 +19410,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/redpanda @@ -20644,6 +20657,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -22116,6 +22130,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -23559,6 +23574,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -24999,6 +25015,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -26493,6 +26510,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -28003,6 +28021,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -29513,6 +29532,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -30974,6 +30994,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -32485,6 +32506,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -34014,6 +34036,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -35543,6 +35566,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -37024,6 +37048,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -38553,6 +38578,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -40082,6 +40108,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -41611,6 +41638,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -43092,6 +43120,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -44569,6 +44598,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -46010,6 +46040,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -47450,6 +47481,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -48978,6 +49010,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -50424,6 +50457,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -53581,6 +53615,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -56523,6 +56558,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -57970,6 +58006,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -59450,6 +59487,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -62407,6 +62445,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -63664,6 +63703,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -65255,6 +65295,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -66699,6 +66740,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -68226,6 +68268,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -69673,6 +69716,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -71146,6 +71190,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -75541,6 +75586,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -80066,6 +80112,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -81593,6 +81640,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -83092,6 +83140,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -84582,6 +84631,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -86072,6 +86122,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -87527,6 +87578,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -89017,6 +89069,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -90507,6 +90560,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -91950,6 +92004,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -93440,6 +93495,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -94930,6 +94986,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -96373,6 +96430,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -97863,6 +97921,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -99353,6 +99412,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -100796,6 +100856,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -102286,6 +102347,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -103776,6 +103838,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -105219,6 +105282,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -106709,6 +106773,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -108199,6 +108264,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -109642,6 +109708,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -110888,6 +110955,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/for-external @@ -120585,6 +120653,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -122128,6 +122197,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -123730,6 +123800,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -125274,6 +125345,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -126821,6 +126893,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -128326,6 +128399,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -129917,6 +129991,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -131357,6 +131432,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -132797,6 +132873,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -134250,6 +134327,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -135819,6 +135897,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/secrets/users @@ -137319,6 +137398,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -138809,6 +138889,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -140299,6 +140380,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -141742,6 +141824,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -143232,6 +143315,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -144722,6 +144806,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -146172,6 +146257,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -147774,6 +147860,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -149028,6 +149115,7 @@ spec: - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default diff --git a/charts/redpanda/testdata/template-cases.txtar b/charts/redpanda/testdata/template-cases.txtar index b04983c70..c9698c347 100644 --- a/charts/redpanda/testdata/template-cases.txtar +++ b/charts/redpanda/testdata/template-cases.txtar @@ -216,6 +216,7 @@ auth: # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.spec.containers[0].securityContext.privileged}", false] # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.spec.containers[0].securityContext.runAsGroup}", 6767] # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.spec.containers[0].securityContext.runAsUser}", 5656] +# ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.spec.initContainers[0].securityContext.runAsNonRoot}", false] # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.metadata.labels.label}", "rp-sts"] # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.metadata.annotations.anno}", "rp-sts"] # ASSERT-FIELD-EQUALS ["apps/v1/StatefulSet", "default/redpanda", "{.spec.template.spec.containers[0].env[?(@.name==\"HELLO\")].value}", "WORLD"] diff --git a/operator/internal/lifecycle/testdata/cases.pools.golden.txtar b/operator/internal/lifecycle/testdata/cases.pools.golden.txtar index 9f7c7036b..7784980f5 100644 --- a/operator/internal/lifecycle/testdata/cases.pools.golden.txtar +++ b/operator/internal/lifecycle/testdata/cases.pools.golden.txtar @@ -214,6 +214,7 @@ - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -1365,6 +1366,7 @@ - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -1727,6 +1729,7 @@ - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -2088,6 +2091,7 @@ - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default @@ -2449,6 +2453,7 @@ - SYS_RESOURCE privileged: true runAsGroup: 0 + runAsNonRoot: false runAsUser: 0 volumeMounts: - mountPath: /etc/tls/certs/default