Troubleshooting Pod Security Context in DataHub Helm Charts Deployment

Original Slack Thread

Hello, We are using DataHub deployed in GCP through helm charts. My organization enforces strict pod security context like runAsNonRoot
I see that many of the pods deployed from DataHub helm charts support overriding securityContext through values.yaml files except the cronJobs created from <datahub-helm/charts/datahub/subcharts/datahub-ingestion-cron/templates/cron.yaml at ef63fae2d436ff099f600c8909a96a1e98c90c5b · acryldata/datahub-helm · GitHub template> file.
Do you guys have a workaround to add/update securityContext for these cronJobs?

Hello <@U040V3TUD5J> I have the same issue, however I am struggling with log:
would violate PodSecurity “restricted:v1.24”: unrestricted capabilities (container “kafka” must set securityContext.capabilities.drop=[“ALL”])

I have tried running helm upgrade with --set kafka.podSecurityContext.capabilities.drop=[“ALL”] as well as with --set kafka.securityContext.capabilities.drop=[“ALL”] but any of them does not solve the problem…

which particular application deployment/cronJob you are struggling to set securityContext for?

I see issue with only cronJobs from datahub-ingestion-cron module only

rest of them I can value override from corresponding values.yaml files

I’m running:
helm upgrade prerequisites datahub/datahub-prerequisites --values=values.txt --set elasticsearch.securityContext.allowPrivilegeEscalation=false --set kafka.podSecurityContext.capabilities.drop=["ALL"]

shouldn’t it be elasticsearchSetupJob.securityContext.allowPrivilegeEscalation=false ?

I think setupjob is in datahub itself, not in prerequsits

I’m struggeling with ecurityContext.capabilities.drop=[“ALL”]

Why dont you try to use all of them from a properly formatted values-override.yaml file and pass it as argument to helm upgrade instead of doing it from commandline?

It is vulnerable for formatting errors with array elements as commandline args I believe

I’m trying to do this as well, but I can not do it for the argument (container “kafka” must set securityContext.capabilities.drop=[“ALL”])

Ah! I see that you are trying to set securityContext for the apps being installed as prerequisites… then you should look in corresponding chart repo to see how securityContext is expected… I do not do that… I use pre-installed ES and Kafka services
search for different security configs for brokers and controllers etc

For ES:

BTW, I created a|PR to add configuration support for securityContext in ingestion cronJobs.