Update OpenShift security context constraints to support the operator…

… service account (#1325) * Update SecurityContextConstraints, fix list values, add operator service account * patch * Update helm-charts/splunk-otel-collector/templates/securityContextConstraints.yaml Co-authored-by: Jina Jain <[email protected]> --------- Co-authored-by: Jina Jain <[email protected]>
signalfx · Jun 27, 2024 · d750237 · d750237
1 parent 022342d
commit d750237
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 3 deletions.
diff --git a/.chloggen/update-security-context-contraints.yaml b/.chloggen/update-security-context-contraints.yaml
@@ -0,0 +1,12 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+# The name of the component, or a single word describing the area of concern, (e.g. agent, clusterReceiver, gateway, operator, chart, other)
+component: chart
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Updated Security Context Constraints for OpenShift support to fix formatting issues and add support for the operator service account
+# One or more tracking issues related to the change
+issues: [1325]
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
diff --git a/examples/distribution-openshift/rendered_manifests/securityContextConstraints.yaml b/examples/distribution-openshift/rendered_manifests/securityContextConstraints.yaml
@@ -25,7 +25,7 @@ allowPrivilegedContainer: false
 allowedCapabilities: []
 defaultAddCapabilities: []
 fsGroup:
-  type: MustRunAs
+  type: RunAsAny
 priority: 10
 readOnlyRootFilesystem: true
 requiredDropCapabilities:

diff --git a/helm-charts/splunk-otel-collector/templates/securityContextConstraints.yaml b/helm-charts/splunk-otel-collector/templates/securityContextConstraints.yaml
@@ -26,7 +26,7 @@ seLinuxContext:
 allowedCapabilities: []
 defaultAddCapabilities: []
 fsGroup:
-  type: MustRunAs
+  type: RunAsAny
 readOnlyRootFilesystem: true
 runAsUser:
   type: RunAsAny
@@ -49,7 +49,9 @@ metadata:
     heritage: {{ .Release.Service }}
 users:
 - system:serviceaccount:{{ template "splunk-otel-collector.namespace" . }}:{{ template "splunk-otel-collector.serviceAccountName" . }}
-
+{{- if .Values.operator.enabled }}
+- system:serviceaccount:{{ include "splunk-otel-collector.namespace" . }}:{{ template "opentelemetry-operator.serviceAccountName" .Subcharts.operator }}
+{{- end }}
 {{- $config := include "splunk-otel-collector.defaultSecurityContextConstraints" . | fromYaml }}
 {{ .Values.securityContextConstraintsOverwrite | mustMergeOverwrite $config | toYaml }}
 {{- end }}