fix: dind-lv-monitor securty context for openshift (#377)

Author: mikhail-klimko

charts/cf-runtime/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A Helm chart for Codefresh Runner
 name: cf-runtime
-version: 3.0.7
+version: 3.0.8
 keywords:
   - codefresh
   - runner
@@ -15,7 +15,9 @@ maintainers:
 annotations:
   artifacthub.io/changes: |
     - kind: fixed
-      description: Fix env var indent in runtime patch job
+      description: Fix security context for dind-lv-monitor (OpenShift support)
+    - kind: changed
+      description: Use rootless cli image for runtime patch job
 dependencies:
   - name: cf-common
     repository: https://chartmuseum.codefresh.io/cf-common

charts/cf-runtime/README.md

@@ -1,6 +1,6 @@
 ## Codefresh Runner
 
-![Version: 3.0.7](https://img.shields.io/badge/Version-3.0.7-informational?style=flat-square)
+![Version: 3.0.8](https://img.shields.io/badge/Version-3.0.8-informational?style=flat-square)
 
 Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/installation/codefresh-runner/) to Kubernetes.
 
@@ -19,6 +19,7 @@ Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/insta
   - [Custom global environment variables](#custom-global-environment-variables)
   - [Volume reuse policy](#volume-reuse-policy)
   - [Volume cleaners](#volume-cleaners)
+  - [Openshift](#openshift)
 
 ## Prerequisites
 
@@ -374,6 +375,39 @@ volumeProvisioner:
       INODE_USAGE_THRESHOLD: 60  # default 80
 ```
 
+### Openshift
+
+To install Codefresh Runner on OpenShift use the following `values.yaml` example
+
+```yaml
+runner:
+  podSecurityContext:
+    enabled: false
+
+volumeProvisioner:
+  podSecurityContext:
+    enabled: false
+  env:
+    PRIVILEGED_CONTAINER: true
+  dind-lv-monitor:
+    containerSecurityContext:
+      enabled: true
+      privileged: true
+    volumePermissions:
+      enabled: true
+      securityContext:
+        privileged: true
+        runAsUser: auto
+```
+
+Grant `privileged` SCC to `cf-runtime-runner` and `cf-runtime-volume-provisioner` service accounts.
+
+```console
+oc adm policy add-scc-to-user privileged system:serviceaccount:codefresh:cf-runtime-runner
+
+oc adm policy add-scc-to-user privileged system:serviceaccount:codefresh:cf-runtime-volume-provisioner
+```
+
 ## Requirements
 
 | Repository | Name | Version |

charts/cf-runtime/README.md.gotmpl

@@ -19,6 +19,7 @@ Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/insta
   - [Custom global environment variables](#custom-global-environment-variables)
   - [Volume reuse policy](#volume-reuse-policy)
   - [Volume cleaners](#volume-cleaners)
+  - [Openshift](#openshift)
 
 ## Prerequisites
 
@@ -374,6 +375,40 @@ volumeProvisioner:
       INODE_USAGE_THRESHOLD: 60  # default 80
 ```
 
+### Openshift
+
+To install Codefresh Runner on OpenShift use the following `values.yaml` example
+
+```yaml
+runner:
+  podSecurityContext:
+    enabled: false
+
+volumeProvisioner:
+  podSecurityContext:
+    enabled: false
+  env:
+    PRIVILEGED_CONTAINER: true
+  dind-lv-monitor:
+    containerSecurityContext:
+      enabled: true
+      privileged: true
+    volumePermissions:
+      enabled: true
+      securityContext:
+        privileged: true
+        runAsUser: auto
+```
+
+Grant `privileged` SCC to `cf-runtime-runner` and `cf-runtime-volume-provisioner` service accounts.
+
+```console
+oc adm policy add-scc-to-user privileged system:serviceaccount:codefresh:cf-runtime-runner
+
+oc adm policy add-scc-to-user privileged system:serviceaccount:codefresh:cf-runtime-volume-provisioner
+```
+
+
 {{ template "chart.requirementsSection" . }}
 
 {{ template "chart.valuesSection" . }}

charts/cf-runtime/templates/volume-provisioner/daemonset.yaml

@@ -38,17 +38,25 @@ spec:
         args:
          - -ec
          - |
-           chown -R {{ $values.podSecurityContext.fsGroup }}:{{ $values.podSecurityContext.fsGroup }} {{ $localVolumeParentDir }}
+           chown -R {{ $values.podSecurityContext.runAsUser }}:{{ $values.podSecurityContext.fsGroup }} {{ $localVolumeParentDir }}
         volumeMounts:
         - mountPath: {{ $localVolumeParentDir }}
           name: dind-volume-dir
+        {{- if eq ( toString ( $values.volumePermissions.securityContext.runAsUser )) "auto" }}
+        securityContext: {{- omit $values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 10 }}
+        {{- else }}
+        securityContext: {{- $values.volumePermissions.securityContext | toYaml | nindent 10 }}
+        {{- end }}
         resources:
           {{- toYaml $values.volumePermissions.resources | nindent 10 }}
       {{- end }}
       containers:
       - name: dind-lv-monitor
         image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
         imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
+        {{- if $values.containerSecurityContext.enabled }}
+        securityContext: {{- omit $values.containerSecurityContext "enabled" | toYaml | nindent 10 }}
+        {{- end }}
         command:
           - /home/dind-volume-utils/bin/local-volumes-agent
         env:

charts/cf-runtime/values.yaml

@@ -194,7 +194,9 @@ volumeProvisioner:
     podAnnotations: {}
     podSecurityContext:
       enabled: true
+      runAsUser: 1000
       fsGroup: 1000
+    containerSecurityContext: {}
     env: {}
     resources: {}
     nodeSelector: {}
@@ -209,6 +211,8 @@ volumeProvisioner:
         repository: alpine
         tag: 3.18
       resources: {}
+      securityContext:
+        runAsUser: 0 # auto
 
   # `dind-volume-cleanup` CronJob parameters
   # (external volumes cleaner)
@@ -499,14 +503,15 @@ runtime:
     image:
       registry: quay.io
       repository: codefresh/cli
-      tag: 0.84.6
+      tag: 0.84.8-rootless
     annotations: {}
     affinity: {}
     nodeSelector: {}
     podSecurityContext: {}
     resources: {}
     tolerations: []
-    env: {}
+    env:
+      HOME: /tmp
 
   # -- Set parent runtime to inherit.
   # Should not be changes. Parent runtime is controlled from Codefresh side.