Skip to content

fix(helm): keep non-root UID defaults for grafana-mcp and querydoc, document OpenShift override#2134

Open
SarthakB11 wants to merge 3 commits into
kagent-dev:mainfrom
SarthakB11:fix/issue-2079
Open

fix(helm): keep non-root UID defaults for grafana-mcp and querydoc, document OpenShift override#2134
SarthakB11 wants to merge 3 commits into
kagent-dev:mainfrom
SarthakB11:fix/issue-2079

Conversation

@SarthakB11

@SarthakB11 SarthakB11 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

What

#2079 reported that grafana-mcp and querydoc are not deployable on OpenShift out of the box: they pin securityContext.runAsUser/runAsGroup and the restricted-v2 SCC rejects a fixed UID (it assigns a per-namespace range).

Unsetting the defaults is not safe: both charts set podSecurityContext.runAsNonRoot: true, and the kubelet can only confirm non-root from a numeric runAsUser or a numeric image USER. The mcp/grafana image's USER is the name "mcp-grafana" and the doc2vec/mcp (querydoc) image does not run as a numeric non-root user, so with runAsUser unset the pods fail admission with CreateContainerConfigError on vanilla Kubernetes.

This PR keeps the fixed non-root UID/GID defaults (charts install on vanilla Kubernetes) and documents the one-line override for OpenShift, where the SCC then assigns an in-range UID:

--set tools.grafana-mcp.securityContext.runAsUser=null
--set tools.grafana-mcp.securityContext.runAsGroup=null

(same for tools.querydoc.securityContext). It also records that the querydoc pin can be dropped once the doc2vec/mcp image ships a numeric non-root USER, opened upstream as kagent-dev/doc2vec#94. This is the fallback described in #2079 for images that do not ship a numeric non-root USER.

Testing

  • helm template: pinned UID by default; field omitted when overridden to null.
  • helm unittest: grafana-mcp 10/10, querydoc 26/26.

Fixes #2079

Copilot AI review requested due to automatic review settings July 1, 2026 21:27
@github-actions github-actions Bot added the bug Something isn't working label Jul 1, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adjusts Helm subchart defaults to be OpenShift-compatible by avoiding hardcoded container UIDs/GIDs that conflict with restricted SCC UID ranges.

Changes:

  • Removed default securityContext.runAsUser / runAsGroup from grafana-mcp values.
  • Removed default securityContext.runAsUser / runAsGroup from querydoc values.
  • Added inline comments documenting why the UID/GID are unset by default and how to override.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
helm/tools/querydoc/values.yaml Drops pinned UID/GID defaults to allow OpenShift SCC-assigned UIDs; keeps hardened securityContext settings.
helm/tools/grafana-mcp/values.yaml Drops pinned UID/GID defaults to allow OpenShift SCC-assigned UIDs; keeps hardened securityContext settings.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread helm/tools/querydoc/values.yaml Outdated
Comment on lines +28 to +33
# runAsUser / runAsGroup are left unset so the chart installs on OpenShift,
# where the restricted-v2 SCC assigns a per-namespace UID range and rejects a
# pinned UID outside it. runAsNonRoot (in podSecurityContext) still keeps the
# container non-root. Set a fixed UID below on clusters that allow it:
# runAsUser: 14000
# runAsGroup: 14000
Comment thread helm/tools/querydoc/values.yaml Outdated
Comment on lines +28 to +32
# runAsUser / runAsGroup are left unset so the chart installs on OpenShift,
# where the restricted-v2 SCC assigns a per-namespace UID range and rejects a
# pinned UID outside it. runAsNonRoot (in podSecurityContext) still keeps the
# container non-root. Set a fixed UID below on clusters that allow it:
# runAsUser: 14000
Comment thread helm/tools/grafana-mcp/values.yaml Outdated
Comment on lines +34 to +39
# runAsUser / runAsGroup are left unset so the chart installs on OpenShift,
# where the restricted-v2 SCC assigns a per-namespace UID range and rejects a
# pinned UID outside it. runAsNonRoot (in podSecurityContext) still keeps the
# container non-root. Set a fixed UID below on clusters that allow it:
# runAsUser: 1000
# runAsGroup: 999
Comment thread helm/tools/grafana-mcp/values.yaml Outdated
Comment on lines +34 to +38
# runAsUser / runAsGroup are left unset so the chart installs on OpenShift,
# where the restricted-v2 SCC assigns a per-namespace UID range and rejects a
# pinned UID outside it. runAsNonRoot (in podSecurityContext) still keeps the
# container non-root. Set a fixed UID below on clusters that allow it:
# runAsUser: 1000
@SarthakB11
SarthakB11 force-pushed the fix/issue-2079 branch 2 times, most recently from f1127b3 to 40d75b3 Compare July 1, 2026 21:47
@SarthakB11

Copy link
Copy Markdown
Contributor Author

Thanks for the review. Force-pushed a fix. Two changes on top of the original commit:

  • helm-unittest updates in helm/tools/querydoc/tests/deployment_test.yaml and helm/tools/grafana-mcp/tests/deployment_test.yaml: the default-container securityContext test now asserts runAsUser and runAsGroup are unset via isNull, matching the new default. The override test in both files still sets runAsUser and asserts it renders, so the override path stays covered.
  • Values comment reworded: runAsNonRoot enforces non-root rather than "keeping" it non-root; with runAsUser unset the container runs as the image's USER, so mcp/grafana and doc2vec/mcp must ship a non-root USER for the pod to start on non-OpenShift clusters. That constraint is now spelled out.

Also rebased onto main (was BEHIND #2124 / #2125). CI should re-run on the amended commit.

… chart defaults

The grafana-mcp and querydoc subcharts hardcode securityContext.runAsUser
(1000 and 14000) and runAsGroup (999 and 14000) in their default
values.yaml. On OpenShift, each namespace is assigned a dynamic UID
range and the restricted-v2 SCC rejects any pod whose runAsUser falls
outside that range, so the chart is undeployable out of the box: the
Deployments stay at 0/1 with a FailedCreate admission error until each
component's UID is overridden by hand to an in-range value that is
cluster- and namespace-specific.

Remove the pinned UIDs from the defaults. Documented commented
overrides remain for clusters that want to pin them. runAsNonRoot in
podSecurityContext still enforces non-root, and the rest of the
hardening (allowPrivilegeEscalation: false, capabilities.drop: [ALL],
readOnlyRootFilesystem: true, seccompProfile: RuntimeDefault) is
unchanged.

Fixes kagent-dev#2079

Signed-off-by: SarthakB11 <sarthak.bhardwaj21b@iiitg.ac.in>
@SarthakB11
SarthakB11 requested a review from a team as a code owner July 9, 2026 20:05
…erride

The grafana-mcp and querydoc charts enable podSecurityContext.runAsNonRoot.
On vanilla Kubernetes the kubelet can only confirm a container is non-root
from a numeric runAsUser or a numeric image USER, and neither image ships
one (the mcp/grafana image's USER is the name "mcp-grafana" and the querydoc
image runs as root). Leaving runAsUser unset therefore fails admission with
CreateContainerConfigError and the pods never start.

Keep a fixed non-root UID/GID as the default so the charts install on vanilla
Kubernetes, and document the one-line override to null so OpenShift users let
the restricted-v2 SCC assign an in-range UID.

Fixes kagent-dev#2079

Signed-off-by: SarthakB11 <sarthak.bhardwaj21b@iiitg.ac.in>
… USER

The querydoc image (doc2vec/mcp) does not currently run as a numeric non-root
user, so the runAsUser/runAsGroup pin is required for the default install to
pass runAsNonRoot on vanilla Kubernetes. Record that the pin can be removed
once the image ships a numeric non-root USER, at which point kubelet reads the
UID from the image directly.

Fixes kagent-dev#2079

Signed-off-by: SarthakB11 <sarthak.bhardwaj21b@iiitg.ac.in>
@SarthakB11

Copy link
Copy Markdown
Contributor Author

Unsetting runAsUser is not safe here: neither image runs as a numeric non-root user, so with runAsNonRoot on, the pods fail admission on vanilla Kubernetes. Kept the pinned defaults and documented the OpenShift null-override. querydoc can be unpinned once its image ships a numeric USER, opened upstream as kagent-dev/doc2vec#94.

@SarthakB11 SarthakB11 changed the title fix(helm): don't pin runAsUser/runAsGroup in grafana-mcp and querydoc chart defaults fix(helm): keep non-root UID defaults for grafana-mcp and querydoc, document OpenShift override Jul 12, 2026
@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels Jul 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Bundled subcharts hardcode securityContext.runAsUser/runAsGroup → not deployable on OpenShift (restricted-v2 dynamic UID range)

2 participants