Resolving Security Alerts on Azure by Setting up securityContext for Pods in DataHub Running on AKS

all-things-deployment
1

Original Slack Thread

Hi all, I am looking to resolve security alerts on azure by setting up securityContext for all the pods in datahub running on AKS. For the cp-schema-registry (prerequisites version 0.0.14), both podSecurityContext and securityContext does not seem to take effect and the promethus-jmx-exporter container is still running as root user. Below is snapshot of the values files for cp-schema-registry. Could someone please guide me on this resolution?

  cp-schema-registry:
    enabled: true
    podSecurityContext:
      fsGroup: 1000
    securityContext:
      runAsUser: 1000
    prometheus:
      securityContext:
        runAsUser: 1000
      jmx:
        securityContext:
          runAsUser: 1000
    kafka:
      bootstrapServers: "prerequisites-kafka:9092"
  cp-kafka:
    enabled: false
  cp-zookeeper:
    enabled: false
  cp-kafka-rest:
    enabled: false
  cp-kafka-connect:
    enabled: false
  cp-ksql-server:
    enabled: false
  cp-control-center:
    enabled: false```
2

<@U03MF8MU5P0> might be able to speak to this!

3

The confluent charts are not managed by DataHub, please refer to the upstream project<https://confluentinc.github.io/cp-helm-charts/| documentation> for managing it. At a glance there is no released version of this chart that supports those security context settings. An alternative for new instances is to use DataHub as a read-only schema registry (works for DataHub topics only). This mode eliminates the requirement to run the confluent schema registry, this is activated https://github.com/acryldata/datahub-helm/blob/master/charts/datahub/values.yaml#L488|here. You’d then disable the cp-schema-registry in the prerequisites.