Merge pull request #20 from NetApp/fix-scc

Adding OpenShift SCC fix and bumping charts to 4.1.2

Author: romdalf

charts/netapp-neo/Chart.yaml

@@ -4,5 +4,5 @@ description: NetApp Neo v4.x — context lake microservice architecture for AI s
 type: application
 keywords: ["NetApp", "Neo", "MCP", "AI", "context lake"]
 home: "https://netapp.github.io/Innovation-Labs/"
-version: 26.4.3
-appVersion: "4.1.0"
+version: 26.4.4
+appVersion: "4.1.2"

charts/netapp-neo/OPENSHIFT.MD

@@ -0,0 +1,165 @@
+# Deploy NetApp Neo on OpenShift
+
+This guide describes how to deploy this chart on OpenShift with the new security model:
+
+- Restricted-v2 baseline for the application
+- Mandatory privileged exceptions for `worker` and `extractor` to access remote file systems
+- Helm validation enforces this mode during render/install
+
+## 1. Prerequisites
+
+- OpenShift cluster access (`oc`)
+- Helm 3
+- Cluster admin support for SCC binding (required for privileged worker/extractor mode)
+- Target namespace exists, example: `neo-poc`
+
+Select your target namespace:
+
+```bash
+oc project neo-poc
+```
+
+Prepare OpenShift values override file:
+
+```bash
+cat > values-openshift.yaml <<'EOF'
+openshift:
+  restrictedV2:
+    enabled: true
+  api:
+    serviceAccount:
+      create: true
+      name: ""
+      annotations: {}
+  ui:
+    serviceAccount:
+      create: true
+      name: ""
+      annotations: {}
+  privilegedWorkloads:
+    worker:
+      enabled: true
+      serviceAccount:
+        create: true
+        name: ""
+        annotations: {}
+    extractor:
+      enabled: true
+      serviceAccount:
+        create: true
+        name: ""
+        annotations: {}
+EOF
+```
+
+## 2. Deployment Mode
+
+### Restricted-v2 + privileged exceptions (worker/extractor)
+
+This is the required deployment mode for this application because `worker` and `extractor`
+must mount filesystems inside the pod.
+
+Required chart behavior:
+
+- `openshift.restrictedV2.enabled=true`
+- `openshift.privilegedWorkloads.worker.enabled=true`
+- `openshift.privilegedWorkloads.extractor.enabled=true`
+
+These are enforced by chart validation. Helm will fail if any are set to `false`.
+
+Deploy:
+
+```bash
+helm upgrade --install netapp-neo innovation-labs/netapp-neo \
+  -n neo-poc \
+  -f ./netapp-neo/values.yaml \
+  -f ./values-openshift.yaml \
+  --wait --timeout 10m --rollback-on-failure
+```
+
+If you maintain a platform-specific values file, keep this OpenShift block there.
+
+## 3. Bind SCC for Privileged Exception Service Accounts
+
+In this mode, the chart creates service accounts:
+
+- `netapp-neo-netapp-neo-api`
+- `netapp-neo-netapp-neo-ui`
+- `netapp-neo-netapp-neo-worker-privileged`
+- `netapp-neo-netapp-neo-extractor-privileged`
+
+Bind an SCC that permits required behavior (example shown with `privileged`; use a narrower custom SCC if possible):
+
+```bash
+oc adm policy add-scc-to-user privileged \
+  -z netapp-neo-netapp-neo-worker-privileged \
+  -n neo-poc
+
+oc adm policy add-scc-to-user privileged \
+  -z netapp-neo-netapp-neo-extractor-privileged \
+  -n neo-poc
+```
+
+If you set custom service account names in values:
+
+- `openshift.api.serviceAccount.name`
+- `openshift.ui.serviceAccount.name`
+- `openshift.privilegedWorkloads.worker.serviceAccount.name`
+- `openshift.privilegedWorkloads.extractor.serviceAccount.name`
+
+use those names in the `oc adm policy` commands.
+
+If you set `serviceAccount.create=false`, ensure those service accounts already exist in the namespace.
+
+## 4. Verify Deployment
+
+Check pods:
+
+```bash
+oc get pods -n neo-poc
+```
+
+Check service account used by api/ui/worker/extractor:
+
+```bash
+oc get deploy netapp-neo-netapp-neo-api -n neo-poc -o jsonpath='{.spec.template.spec.serviceAccountName}{"\n"}'
+oc get deploy netapp-neo-netapp-neo-ui -n neo-poc -o jsonpath='{.spec.template.spec.serviceAccountName}{"\n"}'
+oc get deploy netapp-neo-netapp-neo-worker -n neo-poc -o jsonpath='{.spec.template.spec.serviceAccountName}{"\n"}'
+oc get deploy netapp-neo-netapp-neo-extractor -n neo-poc -o jsonpath='{.spec.template.spec.serviceAccountName}{"\n"}'
+```
+
+Check events for SCC admission issues:
+
+```bash
+oc get events -n neo-poc --sort-by=.lastTimestamp | tail -n 50
+```
+
+Confirm API deployment does not render forbidden fixed IDs or explicit seccomp:
+
+```bash
+oc get deploy netapp-neo-netapp-neo-api -n neo-poc -o yaml | grep -E "runAsUser|runAsGroup|fsGroup|seccompProfile" -n
+```
+
+## 5. Troubleshooting
+
+If pods are blocked by SCC:
+
+- Confirm privileged exception flags are enabled as required.
+- Confirm SCC binding exists for the exact service account names.
+- Confirm namespace in `oc adm policy` matches deployment namespace.
+- Confirm api/ui/worker/extractor serviceAccountName values in the live deployment are the expected service accounts.
+- Confirm worker/extractor service accounts are the ones bound to SCC.
+- Re-run Helm with `--wait --rollback-on-failure` to catch rollout failures clearly.
+
+Example inspection:
+
+```bash
+oc describe rs -n neo-poc | grep -E "forbidden|security context constraint|SCC|restricted-v2" -i
+```
+
+## 6. Recommended Operational Practice
+
+- Keep this single enforced mode for OpenShift deployments.
+- Keep API and UI on dedicated non-privileged service accounts.
+- Grant elevated SCC only to `worker` and `extractor` service accounts.
+- Prefer a custom least-privilege SCC over broad `privileged` SCC when feasible.

charts/netapp-neo/_temp/values-openshift-privileged.yaml

@@ -0,0 +1,46 @@
+# OpenShift profile with privileged exceptions for worker/extractor.
+# This is the required mode for this chart on OpenShift because these workloads mount filesystems in the pod.
+# The three enabled flags below are chart-enforced by templates/validations.yaml.
+# Usage:
+# git clone --branch fix-scc https://github.com/NetApp/Innovation-Labs.git
+# cd Innovation-Labs/charts/netapp-neo
+# helm upgrade --install netapp-neo . -n neo-poc -f values.yaml -f _temp/values-openshift-privileged.yaml --wait --timeout 10m --rollback-on-failure
+
+openshift:
+  restrictedV2:
+    enabled: true
+  api:
+    serviceAccount:
+      create: true
+      # If create=false, service account must already exist in the namespace.
+      # Leave empty to use generated name:
+      # <release>-netapp-neo-api
+      name: ""
+      annotations: {}
+  ui:
+    serviceAccount:
+      create: true
+      # If create=false, service account must already exist in the namespace.
+      # Leave empty to use generated name:
+      # <release>-netapp-neo-ui
+      name: ""
+      annotations: {}
+  privilegedWorkloads:
+    worker:
+      enabled: true
+      serviceAccount:
+        create: true
+        # If create=false, service account must already exist in the namespace.
+        # Leave empty to use generated name:
+        # <release>-netapp-neo-worker-privileged
+        name: ""
+        annotations: {}
+    extractor:
+      enabled: true
+      serviceAccount:
+        create: true
+        # If create=false, service account must already exist in the namespace.
+        # Leave empty to use generated name:
+        # <release>-netapp-neo-extractor-privileged
+        name: ""
+        annotations: {}

charts/netapp-neo/templates/NOTES.txt

@@ -37,3 +37,17 @@ To access the API locally:
 
 To access the UI locally:
   kubectl -n {{ .Release.Namespace}} port-forward svc/{{ include "netapp-neo.fullname" . }}-ui 8080:{{ .Values.ui.service.port }}
+
+{{- if .Values.openshift.privilegedWorkloads.worker.enabled }}
+
+OpenShift setup required for worker privileged mode:
+  - Bind an SCC that allows the required mount behavior to service account:
+    {{ include "netapp-neo.workerPrivilegedServiceAccountName" . }}
+{{- end }}
+
+{{- if .Values.openshift.privilegedWorkloads.extractor.enabled }}
+
+OpenShift setup required for extractor privileged mode:
+  - Bind an SCC that allows the required mount behavior to service account:
+    {{ include "netapp-neo.extractorPrivilegedServiceAccountName" . }}
+{{- end }}

charts/netapp-neo/templates/_helpers.tpl

@@ -88,8 +88,6 @@ Only useful when postgresql.enabled is true.
   securityContext:
     allowPrivilegeEscalation: false
     runAsNonRoot: true
-    seccompProfile:
-      type: RuntimeDefault
     capabilities:
       drop:
         - ALL
@@ -121,3 +119,38 @@ Usage: include "netapp-neo.imageTag" (dict "imageTag" .Values.api.image.tag "app
 {{- define "netapp-neo.imageTag" -}}
 {{- default .appVersion .imageTag -}}
 {{- end -}}
+
+{{/*
+Service account names used by workloads in OpenShift mode.
+*/}}
+{{- define "netapp-neo.apiServiceAccountName" -}}
+{{- if .Values.openshift.api.serviceAccount.name -}}
+{{- .Values.openshift.api.serviceAccount.name -}}
+{{- else -}}
+{{- printf "%s-api" (include "netapp-neo.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "netapp-neo.uiServiceAccountName" -}}
+{{- if .Values.openshift.ui.serviceAccount.name -}}
+{{- .Values.openshift.ui.serviceAccount.name -}}
+{{- else -}}
+{{- printf "%s-ui" (include "netapp-neo.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "netapp-neo.workerPrivilegedServiceAccountName" -}}
+{{- if .Values.openshift.privilegedWorkloads.worker.serviceAccount.name -}}
+{{- .Values.openshift.privilegedWorkloads.worker.serviceAccount.name -}}
+{{- else -}}
+{{- printf "%s-worker-privileged" (include "netapp-neo.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "netapp-neo.extractorPrivilegedServiceAccountName" -}}
+{{- if .Values.openshift.privilegedWorkloads.extractor.serviceAccount.name -}}
+{{- .Values.openshift.privilegedWorkloads.extractor.serviceAccount.name -}}
+{{- else -}}
+{{- printf "%s-extractor-privileged" (include "netapp-neo.fullname" .) -}}
+{{- end -}}
+{{- end -}}

charts/netapp-neo/templates/api-deployment.yaml

@@ -20,13 +20,9 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      serviceAccountName: {{ include "netapp-neo.apiServiceAccountName" . }}
       securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
         runAsNonRoot: true
-        seccompProfile:
-          type: RuntimeDefault
       {{- if .Values.postgresql.enabled }}
       initContainers:
         {{- include "netapp-neo.waitForDb" . | nindent 8 }}
@@ -51,8 +47,6 @@ spec:
           securityContext:
             allowPrivilegeEscalation: false
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
             capabilities:
               drop:
                 - ALL

charts/netapp-neo/templates/extractor-deployment.yaml

@@ -20,10 +20,23 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.openshift.privilegedWorkloads.extractor.enabled }}
+      serviceAccountName: {{ include "netapp-neo.extractorPrivilegedServiceAccountName" . }}
+      {{- end }}
+      {{- if .Values.openshift.privilegedWorkloads.extractor.enabled }}
+      securityContext:
+        {{- toYaml .Values.openshift.privilegedWorkloads.extractor.podSecurityContext | nindent 8 }}
+      {{- else if .Values.openshift.restrictedV2.enabled }}
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      {{- else }}
       securityContext:
         runAsUser: 1000
         runAsGroup: 1000
         fsGroup: 1000
+      {{- end }}
       {{- if .Values.postgresql.enabled }}
       initContainers:
         {{- include "netapp-neo.waitForDb" . | nindent 8 }}
@@ -42,6 +55,19 @@ spec:
                 secretKeyRef:
                   name: {{ include "netapp-neo.fullname" . }}-db
                   key: DATABASE_URL
+          {{- if .Values.openshift.privilegedWorkloads.extractor.enabled }}
+          securityContext:
+            {{- toYaml .Values.openshift.privilegedWorkloads.extractor.containerSecurityContext | nindent 12 }}
+          {{- else if .Values.openshift.restrictedV2.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+                - ALL
+          {{- else }}
           securityContext:
             runAsUser: 1000
             runAsGroup: 1000
@@ -50,6 +76,7 @@ spec:
             runAsNonRoot: false
             appArmorProfile:
               type: Unconfined
+          {{- end }}
           {{- with .Values.extractor.resources }}
           resources:
             {{- toYaml . | nindent 12 }}