Skip to content

fix: make securityContext configurable to resolve OpenShift non-default namespace deployment failure#460

Draft
narayviv wants to merge 2 commits into
hpe-storage:masterfrom
narayviv:cosi_openshift_ndn_issue
Draft

fix: make securityContext configurable to resolve OpenShift non-default namespace deployment failure#460
narayviv wants to merge 2 commits into
hpe-storage:masterfrom
narayviv:cosi_openshift_ndn_issue

Conversation

@narayviv
Copy link
Copy Markdown
Contributor

@narayviv narayviv commented May 27, 2026

The COSI provisioner pod fails to deploy in non-default namespaces on OpenShift
clusters (AS-222433) because the deployment template hardcodes runAsUser: 1000,
runAsGroup: 1000, and fsGroup: 2000. These values conflict with OpenShift's
namespace-assigned UID/GID ranges enforced by the restricted-v2 SCC.

Changes:

  • Remove hardcoded UID/GID from pod securityContext in deployment template
  • Add configurable podSecurityContext (defaults to runAsNonRoot: true only)
  • Add configurable containerSecurityContext with restricted-profile defaults
    (allowPrivilegeEscalation: false, drop ALL capabilities, RuntimeDefault seccomp)
  • Update values.schema.json with new field definitions

This makes the chart compatible with both OpenShift (restricted-v2 SCC) and
Kubernetes (restricted Pod Security Standard) without requiring manual SCC
grants like anyuid.

narayviv added 2 commits May 27, 2026 11:13
@narayviv
securityContext made configurable to resolve OpenShift non-default na…
292406a 
…mespace deployment failure

Signed-off-by: Vivek Vishnu Narayanan <vivek-vishnu.narayanan@hpe.com>
@narayviv
updating documentation
f7c7d57 
Signed-off-by: Vivek Vishnu Narayanan <vivek-vishnu.narayanan@hpe.com>
@narayviv narayviv mentioned this pull request May 27, 2026
Open
@datamattsson
Copy link
Copy Markdown
Collaborator

datamattsson commented May 27, 2026

If this runs on Kubernetes and OpenShift without modification, all these changes doesn't need to be parameterized. When would a user need to change any of these?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@datamattsson datamattsson Awaiting requested review from datamattsson datamattsson will be requested when the pull request is marked ready for review datamattsson is a code owner

@dileepds dileepds Awaiting requested review from dileepds dileepds will be requested when the pull request is marked ready for review dileepds is a code owner

@rohit-balakrishna rohit-balakrishna Awaiting requested review from rohit-balakrishna rohit-balakrishna will be requested when the pull request is marked ready for review rohit-balakrishna is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@narayviv @datamattsson