Related to: #192
Problem
When deploying the Helm chart in environments with strict Pod Security Standards (e.g., ArgoCD, OpenShift), the deployment fails with:
Error: container has runAsNonRoot and image has non-numeric user (nonroot), cannot verify user is non-root
Root Cause
The manager.yaml template hardcodes runAsNonRoot: true at the pod securityContext level (line 52-53):
securityContext:
runAsNonRoot: true
However, the container image uses a non-numeric user (nonroot). Kubernetes requires a numeric UID to verify that the user is not root. Without runAsUser specified, Kubernetes cannot perform this verification and rejects the pod.
Proposed Solution
Add support for runAsUser in the Helm values.
In values.yaml:
securityContext:
runAsUser: 65532 # Optional: numeric UID for the nonroot user
seccompProfile:
enabled: falseIn manager.yaml:
securityContext:
runAsNonRoot: true
{{- with .Values.securityContext.runAsUser }}
runAsUser: {{ . }}
{{- end }}Workaround
Currently requires Kustomize post-rendering to patch the deployment, which is cumbersome.
Environment
- Chart version: 0.12.0
- Kubernetes: 1.28+
- Deployment method: ArgoCD
Related to: #192
Problem
When deploying the Helm chart in environments with strict Pod Security Standards (e.g., ArgoCD, OpenShift), the deployment fails with:
Root Cause
The
manager.yamltemplate hardcodesrunAsNonRoot: trueat the pod securityContext level (line 52-53):However, the container image uses a non-numeric user (
nonroot). Kubernetes requires a numeric UID to verify that the user is not root. WithoutrunAsUserspecified, Kubernetes cannot perform this verification and rejects the pod.Proposed Solution
Add support for
runAsUserin the Helm values.In
values.yaml:In
manager.yaml:Workaround
Currently requires Kustomize post-rendering to patch the deployment, which is cumbersome.
Environment