Hello, We are using DataHub deployed in GCP through helm charts. My organization enforces strict pod security context like runAsNonRoot
I see that many of the pods deployed from DataHub helm charts support overriding securityContext through values.yaml files except the cronJobs created from <datahub-helm/charts/datahub/subcharts/datahub-ingestion-cron/templates/cron.yaml at ef63fae2d436ff099f600c8909a96a1e98c90c5b · acryldata/datahub-helm · GitHub template> file.
Do you guys have a workaround to add/update securityContext for these cronJobs?
Hello <@U040V3TUD5J> I have the same issue, however I am struggling with log:
would violate PodSecurity “restricted:v1.24”: unrestricted capabilities (container “kafka” must set securityContext.capabilities.drop=[“ALL”])
I have tried running helm upgrade with --set kafka.podSecurityContext.capabilities.drop=[“ALL”] as well as with --set kafka.securityContext.capabilities.drop=[“ALL”] but any of them does not solve the problem…
which particular application deployment/cronJob you are struggling to set securityContext for?
I see issue with only cronJobs from datahub-ingestion-cron module only
rest of them I can value override from corresponding values.yaml files
I’m running:
helm upgrade prerequisites datahub/datahub-prerequisites --values=values.txt --set elasticsearch.securityContext.allowPrivilegeEscalation=false --set kafka.podSecurityContext.capabilities.drop=["ALL"]
shouldn’t it be elasticsearchSetupJob.securityContext.allowPrivilegeEscalation=false ?
I think setupjob is in datahub itself, not in prerequsits
I’m struggeling with ecurityContext.capabilities.drop=[“ALL”]
Why dont you try to use all of them from a properly formatted values-override.yaml file and pass it as argument to helm upgrade instead of doing it from commandline?
It is vulnerable for formatting errors with array elements as commandline args I believe
I’m trying to do this as well, but I can not do it for the argument (container “kafka” must set securityContext.capabilities.drop=[“ALL”])
Ah! I see that you are trying to set securityContext for the apps being installed as prerequisites… then you should look in corresponding chart repo to see how securityContext is expected… I do not do that… I use pre-installed ES and Kafka services
https://artifacthub.io/packages/helm/bitnami/kafka
search for different security configs for brokers and controllers etc
BTW, I created a https://github.com/acryldata/datahub-helm/pull/373|PR to add configuration support for securityContext in ingestion cronJobs.