jp-gouin/helm-openldap

enable containersecuritycontext and resources limit for initcontainers

louisgls opened this issue · 5 comments

I would like to be able to set the containerSecurityPolicy and the resources for the init-tls-secret initContainer.

At the moment, because of policies configured in our cluster, I can't deploy the chart. I've found a quickfix that consists in adding the missing parameters with kustomize but it would be awesome that we could have resources and containerSecurityContext configurable for initContainers, just as they are for the openldap container.

An other solution could be to make init-tls-secret optional so it can be removed or updated like this :

initContainers:
  - name: init-tls-secret
    image: alpine/openssl:latest
    imagePullPolicy: Always
    command:
      - sh
      - -c
      - |
        cp -Lr /tmp-certs/* /certs
    volumeMounts:
      - name: certs
        mountPath: "/certs"
      - name: secret-certs
        mountPath: "/tmp-certs"
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      runAsNonRoot: true
      runAsUser: 1001
      seccompProfile:
        type: RuntimeDefault
    resources:
      limits:
        cpu: 50m
        memory: 64Mi

Hi @louisgls
The parameters in this part can be customized. So I think it might be a usage issue
1697506492605

Hi @opencmit2, thank you for your answer.

My problem is that I can't start any container that does not have containerSecurityContext which is the case of init-tls-secret and update-reclation.

would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "init-tls-secret", "update-replication" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "init-tls-secret", "update-replication" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "init-tls-secret", "update-replication" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "init-tls-secret", "update-replication" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
I also need to configure resources for each containers.
create Pod openldap-0 in StatefulSet openldap failed error: pods "openldap-0" is forbidden: failed quota: default-ktkk5: must specify limits.cpu for: init-tls-secret,update-replication; limits.memory for: init-tls-secret,update-replication

The fact that containerSecurityContext and resources are not configurable prevent the statefulset from being started at all.

Hi @louisgls
I have added the required content based on your needs, please download the latest content to try it out. and close this issue

Hi @opencmit2 , thank you very much for your work, I'll test it this week.

Hi @opencmit2 , this is perfect, thank you very much.