Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions helm/tools/grafana-mcp/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,13 @@ securityContext:
drop:
- ALL
readOnlyRootFilesystem: true
# A fixed non-root UID/GID is set so the chart installs on vanilla Kubernetes:
# runAsNonRoot (in podSecurityContext) needs a numeric non-root user and the
# mcp/grafana image does not ship one. On OpenShift, where the restricted-v2
# SCC assigns a per-namespace UID range and rejects a pinned UID outside it,
# override these to null so the SCC injects an in-range UID:
# --set tools.grafana-mcp.securityContext.runAsUser=null
# --set tools.grafana-mcp.securityContext.runAsGroup=null
runAsUser: 1000
runAsGroup: 999

Expand Down
9 changes: 9 additions & 0 deletions helm/tools/querydoc/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,15 @@ securityContext:
drop:
- ALL
readOnlyRootFilesystem: true
# A fixed non-root UID/GID is set so the chart installs on vanilla Kubernetes:
# runAsNonRoot (in podSecurityContext) needs a numeric non-root user, and the
# querydoc image (doc2vec/mcp) does not currently run as one. Once that image
# ships a numeric non-root USER, this pin can be dropped and kubelet will read
# the UID from the image. On OpenShift, where the restricted-v2 SCC assigns a
# per-namespace UID range and rejects a pinned UID outside it, override these
# to null so the SCC injects an in-range UID:
# --set tools.querydoc.securityContext.runAsUser=null
# --set tools.querydoc.securityContext.runAsGroup=null
runAsUser: 14000
runAsGroup: 14000

Expand Down
Loading