diff --git a/helm/tools/grafana-mcp/values.yaml b/helm/tools/grafana-mcp/values.yaml index 01f0f1f50a..dc4478a442 100644 --- a/helm/tools/grafana-mcp/values.yaml +++ b/helm/tools/grafana-mcp/values.yaml @@ -31,6 +31,13 @@ securityContext: drop: - ALL readOnlyRootFilesystem: true + # A fixed non-root UID/GID is set so the chart installs on vanilla Kubernetes: + # runAsNonRoot (in podSecurityContext) needs a numeric non-root user and the + # mcp/grafana image does not ship one. On OpenShift, where the restricted-v2 + # SCC assigns a per-namespace UID range and rejects a pinned UID outside it, + # override these to null so the SCC injects an in-range UID: + # --set tools.grafana-mcp.securityContext.runAsUser=null + # --set tools.grafana-mcp.securityContext.runAsGroup=null runAsUser: 1000 runAsGroup: 999 diff --git a/helm/tools/querydoc/values.yaml b/helm/tools/querydoc/values.yaml index 13185e9740..fbbdc2bca9 100644 --- a/helm/tools/querydoc/values.yaml +++ b/helm/tools/querydoc/values.yaml @@ -25,6 +25,15 @@ securityContext: drop: - ALL readOnlyRootFilesystem: true + # A fixed non-root UID/GID is set so the chart installs on vanilla Kubernetes: + # runAsNonRoot (in podSecurityContext) needs a numeric non-root user, and the + # querydoc image (doc2vec/mcp) does not currently run as one. Once that image + # ships a numeric non-root USER, this pin can be dropped and kubelet will read + # the UID from the image. On OpenShift, where the restricted-v2 SCC assigns a + # per-namespace UID range and rejects a pinned UID outside it, override these + # to null so the SCC injects an in-range UID: + # --set tools.querydoc.securityContext.runAsUser=null + # --set tools.querydoc.securityContext.runAsGroup=null runAsUser: 14000 runAsGroup: 14000