fix: make securityContext and SCC optional for OpenShift compatibility

OpenShift assigns random UIDs to pods for security. The current chart forces runAsUser: 1000 and creates a custom SCC, which causes permission denied errors. This patch introduces an 'openshift' flag (auto-detectable) that omits specific IDs allowing the cluster to assign them automatically. Fixes #21652 Signed-off-by: Paulo Henrique <paulo.hco47@gmail.com>
2026-06-09 08:58:01 -04:00 · 2025-12-27 19:59:57 -03:00 · 2025-12-27 19:59:57 -03:00 · 5a7de33334
commit 5a7de33334
parent 27742d4694
3 changed files with 16 additions and 4 deletions
--- a/helm/minio/templates/securitycontextconstraints.yaml
+++ b/helm/minio/templates/securitycontextconstraints.yaml
@ -1,4 +1,4 @@
-{{- if and .Values.securityContext.enabled .Values.persistence.enabled (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
+{{- if and .Values.securityContext.enabled .Values.persistence.enabled (.Capabilities.APIVersions.Has "security.openshift.io/v1") (not .Values.openshift) }}
 apiVersion: security.openshift.io/v1
 kind: SecurityContextConstraints
 metadata:
--- a/helm/minio/templates/statefulset.yaml
+++ b/helm/minio/templates/statefulset.yaml
@ -11,6 +11,7 @@
 {{ $accessMode := .Values.persistence.accessMode }}
 {{ $storageClass := .Values.persistence.storageClass }}
 {{ $psize := .Values.persistence.size }}
+{{ $isOpenshift := or .Values.openshift (and (.Capabilities.APIVersions.Has "security.openshift.io/v1") (ne .Values.openshift false)) }}
 apiVersion: v1
 kind: Service
 metadata:
@ -83,9 +84,15 @@ spec:
      {{- end }}
      {{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
      securityContext:
-        {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }}
-      {{- end }}
-      {{- if .Values.serviceAccount.create }}
+        fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }}
+        {{- if .Values.securityContext.runAsNonRoot }}
+        runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
+        {{- end }}
+        {{- if not $isOpenshift }}
+        runAsUser: {{ .Values.securityContext.runAsUser }}
+        runAsGroup: {{ .Values.securityContext.runAsGroup }}
+        fsGroup: {{ .Values.securityContext.fsGroup }}
+        {{- end }}
      serviceAccountName: {{ .Values.serviceAccount.name }}
      {{- end }}
      containers:
--- a/helm/minio/values.yaml
+++ b/helm/minio/values.yaml
@ -271,6 +271,11 @@ tolerations: []
 affinity: {}
 topologySpreadConstraints: []

+## OpenShift configuration
+## If set to "true", disables the creation of SecurityContextConstraints and omits specific
+## user/group IDs from the SecurityContext, allowing OpenShift to automatically assign them.
+openshift: false
+
 ## Add stateful containers to have security context, if enabled MinIO will run as this
 ## user and group NOTE: securityContext is only enabled if persistence.enabled=true
 securityContext: