fix(helm): keep non-root UID defaults for grafana-mcp and querydoc, document OpenShift override#2134
fix(helm): keep non-root UID defaults for grafana-mcp and querydoc, document OpenShift override#2134SarthakB11 wants to merge 3 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Adjusts Helm subchart defaults to be OpenShift-compatible by avoiding hardcoded container UIDs/GIDs that conflict with restricted SCC UID ranges.
Changes:
- Removed default
securityContext.runAsUser/runAsGroupfromgrafana-mcpvalues. - Removed default
securityContext.runAsUser/runAsGroupfromquerydocvalues. - Added inline comments documenting why the UID/GID are unset by default and how to override.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| helm/tools/querydoc/values.yaml | Drops pinned UID/GID defaults to allow OpenShift SCC-assigned UIDs; keeps hardened securityContext settings. |
| helm/tools/grafana-mcp/values.yaml | Drops pinned UID/GID defaults to allow OpenShift SCC-assigned UIDs; keeps hardened securityContext settings. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # runAsUser / runAsGroup are left unset so the chart installs on OpenShift, | ||
| # where the restricted-v2 SCC assigns a per-namespace UID range and rejects a | ||
| # pinned UID outside it. runAsNonRoot (in podSecurityContext) still keeps the | ||
| # container non-root. Set a fixed UID below on clusters that allow it: | ||
| # runAsUser: 14000 | ||
| # runAsGroup: 14000 |
| # runAsUser / runAsGroup are left unset so the chart installs on OpenShift, | ||
| # where the restricted-v2 SCC assigns a per-namespace UID range and rejects a | ||
| # pinned UID outside it. runAsNonRoot (in podSecurityContext) still keeps the | ||
| # container non-root. Set a fixed UID below on clusters that allow it: | ||
| # runAsUser: 14000 |
| # runAsUser / runAsGroup are left unset so the chart installs on OpenShift, | ||
| # where the restricted-v2 SCC assigns a per-namespace UID range and rejects a | ||
| # pinned UID outside it. runAsNonRoot (in podSecurityContext) still keeps the | ||
| # container non-root. Set a fixed UID below on clusters that allow it: | ||
| # runAsUser: 1000 | ||
| # runAsGroup: 999 |
| # runAsUser / runAsGroup are left unset so the chart installs on OpenShift, | ||
| # where the restricted-v2 SCC assigns a per-namespace UID range and rejects a | ||
| # pinned UID outside it. runAsNonRoot (in podSecurityContext) still keeps the | ||
| # container non-root. Set a fixed UID below on clusters that allow it: | ||
| # runAsUser: 1000 |
f1127b3 to
40d75b3
Compare
|
Thanks for the review. Force-pushed a fix. Two changes on top of the original commit:
Also rebased onto main (was BEHIND #2124 / #2125). CI should re-run on the amended commit. |
40d75b3 to
97dfeff
Compare
… chart defaults The grafana-mcp and querydoc subcharts hardcode securityContext.runAsUser (1000 and 14000) and runAsGroup (999 and 14000) in their default values.yaml. On OpenShift, each namespace is assigned a dynamic UID range and the restricted-v2 SCC rejects any pod whose runAsUser falls outside that range, so the chart is undeployable out of the box: the Deployments stay at 0/1 with a FailedCreate admission error until each component's UID is overridden by hand to an in-range value that is cluster- and namespace-specific. Remove the pinned UIDs from the defaults. Documented commented overrides remain for clusters that want to pin them. runAsNonRoot in podSecurityContext still enforces non-root, and the rest of the hardening (allowPrivilegeEscalation: false, capabilities.drop: [ALL], readOnlyRootFilesystem: true, seccompProfile: RuntimeDefault) is unchanged. Fixes kagent-dev#2079 Signed-off-by: SarthakB11 <sarthak.bhardwaj21b@iiitg.ac.in>
97dfeff to
7063dd8
Compare
…erride The grafana-mcp and querydoc charts enable podSecurityContext.runAsNonRoot. On vanilla Kubernetes the kubelet can only confirm a container is non-root from a numeric runAsUser or a numeric image USER, and neither image ships one (the mcp/grafana image's USER is the name "mcp-grafana" and the querydoc image runs as root). Leaving runAsUser unset therefore fails admission with CreateContainerConfigError and the pods never start. Keep a fixed non-root UID/GID as the default so the charts install on vanilla Kubernetes, and document the one-line override to null so OpenShift users let the restricted-v2 SCC assign an in-range UID. Fixes kagent-dev#2079 Signed-off-by: SarthakB11 <sarthak.bhardwaj21b@iiitg.ac.in>
… USER The querydoc image (doc2vec/mcp) does not currently run as a numeric non-root user, so the runAsUser/runAsGroup pin is required for the default install to pass runAsNonRoot on vanilla Kubernetes. Record that the pin can be removed once the image ships a numeric non-root USER, at which point kubelet reads the UID from the image directly. Fixes kagent-dev#2079 Signed-off-by: SarthakB11 <sarthak.bhardwaj21b@iiitg.ac.in>
|
Unsetting runAsUser is not safe here: neither image runs as a numeric non-root user, so with runAsNonRoot on, the pods fail admission on vanilla Kubernetes. Kept the pinned defaults and documented the OpenShift null-override. querydoc can be unpinned once its image ships a numeric USER, opened upstream as kagent-dev/doc2vec#94. |
What
#2079 reported that grafana-mcp and querydoc are not deployable on OpenShift out of the box: they pin securityContext.runAsUser/runAsGroup and the restricted-v2 SCC rejects a fixed UID (it assigns a per-namespace range).
Unsetting the defaults is not safe: both charts set podSecurityContext.runAsNonRoot: true, and the kubelet can only confirm non-root from a numeric runAsUser or a numeric image USER. The mcp/grafana image's USER is the name "mcp-grafana" and the doc2vec/mcp (querydoc) image does not run as a numeric non-root user, so with runAsUser unset the pods fail admission with CreateContainerConfigError on vanilla Kubernetes.
This PR keeps the fixed non-root UID/GID defaults (charts install on vanilla Kubernetes) and documents the one-line override for OpenShift, where the SCC then assigns an in-range UID:
(same for tools.querydoc.securityContext). It also records that the querydoc pin can be dropped once the doc2vec/mcp image ships a numeric non-root USER, opened upstream as kagent-dev/doc2vec#94. This is the fallback described in #2079 for images that do not ship a numeric non-root USER.
Testing
Fixes #2079