Add Startup Volume Permission Enforcement (#482)

theeternalrat · web-flow · commit 7fa21774d9d9 · 2025-04-14T10:33:42.000+02:00
* add volume permissions

* fix variables for parent persistence

* more global variables

* rename init container

* refactor volume permissions container to extraInitContainers
diff --git a/charts/netdata/templates/parent/deployment.yaml b/charts/netdata/templates/parent/deployment.yaml
@@ -35,7 +35,7 @@ spec:
 {{- end }}
     spec:
       securityContext:
-        fsGroup: 201
+        fsGroup: {{ .Values.parent.securityContext.fsGroup }}
       serviceAccountName: {{ .Values.serviceAccount.name }}
       {{- if .Values.parent.priorityClassName }}
       priorityClassName: "{{ .Values.parent.priorityClassName }}"
@@ -58,6 +58,7 @@ spec:
           resources:
 {{ toYaml .Values.sysctlInitContainer.resources | indent 12 }}
       {{- end }}
+{{ toYaml .Values.parent.extraInitContainers | indent 8 }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ tpl .Values.image.tag . }}"
@@ -117,6 +118,9 @@ spec:
             periodSeconds: {{ .Values.parent.readinessProbe.periodSeconds }}
             successThreshold: {{ .Values.parent.readinessProbe.successThreshold }}
             timeoutSeconds: {{ .Values.parent.readinessProbe.timeoutSeconds }}
+          securityContext:
+            runAsUser: {{ .Values.parent.securityContext.runAsUser }}
+            runAsGroup: {{ .Values.parent.securityContext.runAsGroup }}
           volumeMounts:
             - name: os-release
               mountPath: /host/etc/os-release
diff --git a/charts/netdata/values.yaml b/charts/netdata/values.yaml
@@ -62,7 +62,7 @@ ingress:
   path: /
   pathType: Prefix
   hosts:
-    - netdata.k8s.local
+  - netdata.k8s.local
   ## whole spec is going to be included into ingress spec.
   ## if you intend to use ingressClassName declaration, remove ingress.class from annotations
   # spec:
@@ -129,6 +129,10 @@ parent:
     periodSeconds: 30
     successThreshold: 1
     timeoutSeconds: 1
+  securityContext:
+    runAsUser: 201
+    runAsGroup: 201
+    fsGroup: 201
 
   terminationGracePeriodSeconds: 300
 
@@ -236,6 +240,8 @@ parent:
 
   extraVolumes: []
 
+  extraInitContainers: []
+
 child:
   enabled: true
   port: "{{ .Values.parent.port }}"
@@ -270,8 +276,8 @@ child:
   nodeSelector: {}
 
   tolerations:
-    - operator: Exists
-      effect: NoSchedule
+  - operator: Exists
+    effect: NoSchedule
 
   affinity: {}
 
