UNCLASSIFIED - NO CUI

Skip to content

SKIP UPGRADE #155: Add correct pod security context values to pass kyverno tests for postgresql

Andrew Kesterson requested to merge 155_securitycontext into main

General MR

Summary

This corrects the postgresql pod securitycontext configuration to pass kyverno tests, discovered during mergeback of the previous MR on #155 (closed) into the bigbang umbrella chart.

Relevant logs/screenshots

Before

0s (x17 over 6m2s)    Warning   FailedCreate            StatefulSet/mattermost-postgresql                       create Pod mattermost-postgresql-0 in StatefulSet mattermost-postgresql failed error: admission webhook "validate.kyverno.svc-fail" denied the request: 

resource Pod/mattermost/mattermost-postgresql-0 was blocked due to the following policies 

require-non-root-group:
  run-as-group: 'validation failure: validation error: runAsGroup must be set to an
    id > 0 in either spec.securityContext.runAsGroup or (spec.containers[*].securityContext.runAsGroup,
    spec.initContainers[*].securityContext.runAsGroup, and spec.ephemeralContainers[*].securityContext.runAsGroup).
    rule run-as-group[0] failed at path /securityContext/runAsGroup/'
restrict-host-path-write:
  require-readonly-hostpath: rule skipped

After, mattermost works and tests pass

Linked Issue

155

Upgrade Notices

BREAKING CHANGE If using the sub-chart Postgres database for Mattermost, you will be required to perform a pg_dump before upgrading and then restore the database and data to the new pod in order to keep data. There is no clean upgrade path from prior PostgreSQL versions to the new version. This sub-chart in-cluster database is NOT a production setup/recommended installation.

BREAKING CHANGE If you are setting a custom username, password or database for the sub-chart Postgres database for mattermost, the credential settings have moved.

Old setting New setting
postgresql.postgresqlUsername postgresql.auth.username
postgresql.postgresqlPassword postgresql.auth.password
postgresql.postgresqlDatabase postgresql.auth.database
Edited by Andrew Kesterson

Merge request reports

Loading