helm chart is not picking security context value passed in values.yml

[AnishaM7]

Describe the bug
A clear and concise description of what the bug is.

we are deploying couchdb using helm chart. In values yaml we are defining security context as follows

containerSecurityContext:
  fsGroup: 5984
  runAsUser: 5984
  runAsNonRoot: true

But these values are not taken, we are facing below error

Error: container has runAsNonRoot and image will run as root (pod: "couchdb-couchdb-0_octosec-int(82e260ef-3a13-409f-92a5-de0bf9f633ff)", container: init-copy)

could you please let me know how to pass the value

Version of Helm and Kubernetes:

kubectl version
Client Version: v1.29.3

Helm version "v3.14.2"
What happened:

What you expected to happen:

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know:

[bryopsida]

What happens if you set the runAsGroup: 5984 as well?

Try these values.

podSecurityContext:
  seccompProfile:
   type: RuntimeDefault
  fsGroup: 5984
  fsGroupChangePolicy: "Always"
containerSecurityContext:
  runAsNonRoot: true
  runAsUser: 5984
  runAsGroup: 5984
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL

[AnishaM7]

yes, we are using security as you mentioned, but we need to add these value in values.yaml file

# -- the initial number of nodes in the CouchDB cluster.
clusterSize: 3

# -- If allowAdminParty is enabled the cluster will start up without any database
# administrator account; i.e., all users will be granted administrative
# access. Otherwise, the system will look for a Secret called
# <ReleaseName>-couchdb containing `adminUsername`, `adminPassword` and
# `cookieAuthSecret` keys. See the `createAdminSecret` flag.
# ref: https://kubernetes.io/docs/concepts/configuration/secret/
allowAdminParty: false


containerSecurityContext:
  fsGroup: 5984
  runAsUser: 5984

when we add here , helm deployment doesnt pick the value
please let us know the correct format to include in values file

[AnishaM7]

Hi,

please let me know if i can add these options in values.yaml file used in helm deployment?

podSecurityContext:
  seccompProfile:
   type: RuntimeDefault
  fsGroup: 5984
  fsGroupChangePolicy: "Always"
containerSecurityContext:
  runAsNonRoot: true
  runAsUser: 5984
  runAsGroup: 5984
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL

[bryopsida]

Hi,

please let me know if i can add these options in values.yaml file used in helm deployment?

podSecurityContext:
  seccompProfile:
   type: RuntimeDefault
  fsGroup: 5984
  fsGroupChangePolicy: "Always"
containerSecurityContext:
  runAsNonRoot: true
  runAsUser: 5984
  runAsGroup: 5984
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL

If I'm understanding what you are asking, yes. Those values are what I use when I'm testing deploying to a namespace with PSA restricted enabled with

helm repo add couchdb https://apache.github.io/couchdb-helm
helm repo update
helm upgrade --install --namespace couchdb couchdb  couchdb/couchdb --version=4.5.6  -f ~/couchdb-test-psa-values.yaml

You can see that the securityContext is applied here when those values are provided.

couchdb-helm/couchdb/templates/statefulset.yaml

Line 61 in a1dfd8b

securityContext: {{ .Values.containerSecurityContext | toYaml | nindent 12 }}

You can combine the above values with the previous values you mentioned as well.