Adding extra securityContext by providing values to the Baserow helm chart does not work

Please fill in the questionnaire below.

Technical Help Questionnaire

Have you read and followed the instructions at: *READ ME FIRST* Technical Help FAQs - #2 by nigel ?

Answer: Yea

Self-Hosted Installation and Setup Questions

How have you self-hosted Baserow.

Trying to use the helm chart.

What are the specs of the service or server you are using to host Baserow.

Kubernetes cluster with these resource specs:
limits.cpu 0 4 limits.memory 0 16Gi requests.cpu 0 2 requests.memory 0 8Gi

Which version of Baserow are you using.

0.29, helm chart 1.0.8

How have you configured your self-hosted installation?

Default settings for the helm chart, with the following defines values:

caddy:
  enabled: false

 securityContext:                                                                                                                           
   enabled: true                                                                                                                            
                                                                                                                                            
 containerSecurityContext:                                                                                                                  
   enabled: true   

What commands if any did you use to start your Baserow server?

na

Describe the problem

It seems that the configurations are not picked up in the templates for the Deployments.
The Deployments do not get the securityContext for the pod and the image.

Trying to disable caddy works without problems.

Good afternoon,

You will need to configure a few more settings to get it to work.

The configuration options the defaults for securityContext can be found at deploy/helm/baserow/charts/baserow-common/values.yaml · develop · Baserow / baserow · GitLab

The configuration options the defaults for containerSecurityContext can be found at deploy/helm/baserow/charts/baserow-common/values.yaml · develop · Baserow / baserow · GitLab

This can be individually configured for each Baserow component.

Please let me know if this helps you move forward

Ah, your remark that this can be configured per individual component led me on the right track. So, in the values.yaml, the security settings need to be in a separate yaml section, e.g:

baserow-backend-wsgi:
  securityContext:
    enabled: false
    fsGroup: 3333

  containerSecurityContext:
    enabled: true
    runAsUser: 3333
    runAsGroup: 3333

Now that I added this, the security settings are rendered as expected.

Tx!

Hm. The migration Job is now failing because of missing securityContext. I am afraid that for a fresh installation, the migration Job is needed. Maybe I can run it manually afterwards?

Error that I am getting now is:

Error creating: pods "baserow-migrate-kd6c5" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "migrate" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "migra │
│ te" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "migrate" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "migrate" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")```