[bitnami/common] Add a possibility to omit empty seLinuxOptions property from non-OpenShift environments
minijus opened this issue · comments
Name and Version
bitnami/common 2.21.0
What is the problem this feature will solve?
Today many (all?) Bitnami Helm charts set empty object for seLinuxOptions within containerSecurityPolicy, e.g. https://github.com/bitnami/charts/blob/main/bitnami/mongodb/values.yaml#L585
Empty seLinuxOptions property is only removed in OpenShift compatibility mode https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_compatibility.tpl#L28-L35
There are scenarios where OpenShift compatibility mode is not desired, but seLinuxOptions should be removed.
Running on Azure Kubernetes Service (AKS) and using built-in Azure Policy definition: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/SELinux.json at the same time having to set one of "fsGroup" "runAsUser" "runAsGroup" properties with security context.
With scenario mentioned above built-in Azure Policy definition for SELinux fails with the message: "SELinux options is not allowed".
What is the feature you are proposing to solve the problem?
Similarly to global.compatibility.openshift.adaptSecurityContext add global.compatibility.omitEmptySeLinuxOptions value and use this value in common.compatibility.renderSecurityContext helper to conditionally omit seLinuxOptions when it is empty/falsy.
Default value for global.compatibility.omitEmptySeLinuxOptions should be false making the change non-breaking.
What alternatives have you considered?
Alternatives to overcome mentioned issue are only local "workarounds":
- Wrapping Helm chart with kustomize to remove unwanted options
- Modifying built-in Azure Policy definition
- Manually removing
seLinuxOptionsin runtime
Hi!
Thank you so much for the draft! The team will take a look