From 279d64138d5cfb471a9b031ab9e467ca6108335c Mon Sep 17 00:00:00 2001 From: oleksandr-codefresh Date: Tue, 5 May 2026 09:32:44 +0300 Subject: [PATCH 1/2] server: added default securityContext to comply openshift restricted-v2 SCC --- charts/octopus-deploy/README.md | 35 +++++++++++++++---- .../charts/mssql/templates/_helpers.tpl | 8 +++++ .../mssql/templates/serviceaccount.yaml | 16 +++++++++ .../charts/mssql/templates/statefulset.yaml | 5 +++ .../octopus-deploy/charts/mssql/values.yaml | 18 +++++++++- .../octopus-deploy/values-rorfsexample.yaml | 10 ------ charts/octopus-deploy/values.yaml | 11 ++++-- 7 files changed, 84 insertions(+), 19 deletions(-) create mode 100644 charts/octopus-deploy/charts/mssql/templates/serviceaccount.yaml diff --git a/charts/octopus-deploy/README.md b/charts/octopus-deploy/README.md index be9c1b04..5d343135 100644 --- a/charts/octopus-deploy/README.md +++ b/charts/octopus-deploy/README.md @@ -147,13 +147,7 @@ A minimal set of writable paths for a read-only root filesystem is: ```yaml octopus: containerSecurityContext: - runAsNonRoot: true - runAsGroup: 999 - runAsUser: 999 readOnlyRootFilesystem: true - podSecurityContext: - fsGroup: 999 - fsGroupChangePolicy: OnRootMismatch serverConfigurationDirectory: /home/octopus/.local @@ -187,6 +181,35 @@ A complete working example including environment variable overrides for .NET too Note: `enableDockerInDocker` must be set to `false` when using a read-only root filesystem, as Docker-in-Docker requires a privileged, writable container. +### Openshift +If you are using build in mssql chart on Openshift with values: +``` +mssql: + enabled: true +``` + +Our mssql has such default security contexts for mssql. + +``` +podSecurityContext: + fsGroup: 10001 + seccompProfile: + type: RuntimeDefault +containerSecurityContext: + runAsUser: 10001 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +``` + +As we're usign hardcoded UID and fsGroup in our `securityContext` you need to assign `nonroot-v2` SCC to allow the SQL Server SA to run: + +```oc adm policy add-scc-to-user nonroot-v2 -z octopus-deploy-mssql -n octopus-deploy``` + + ### Ingress You'll likely want to allow external traffic to your Octopus instance, and this generally means configuring [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). diff --git a/charts/octopus-deploy/charts/mssql/templates/_helpers.tpl b/charts/octopus-deploy/charts/mssql/templates/_helpers.tpl index 6f3d3493..b438d772 100644 --- a/charts/octopus-deploy/charts/mssql/templates/_helpers.tpl +++ b/charts/octopus-deploy/charts/mssql/templates/_helpers.tpl @@ -50,3 +50,11 @@ this template will return sa_password - either from values or autogenerated {{- include "random_secret" (list . "sapassword") -}} {{- end -}} {{- end -}} + +{{- define "mssql.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} +{{- default (printf "%s-mssql" (include "octopus.fullname" .)) .Values.serviceAccount.name -}} +{{- else -}} +default "default-mssql" .Values.serviceAccount.name +{{- end -}} +{{- end -}} diff --git a/charts/octopus-deploy/charts/mssql/templates/serviceaccount.yaml b/charts/octopus-deploy/charts/mssql/templates/serviceaccount.yaml new file mode 100644 index 00000000..93c4ae88 --- /dev/null +++ b/charts/octopus-deploy/charts/mssql/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "labels" . | nindent 4 }} + {{- if .Values.serviceAccount.labels }} + {{- toYaml .Values.serviceAccount.labels | nindent 4 }} + {{- end }} + name: {{ template "mssql.serviceAccountName" . }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} \ No newline at end of file diff --git a/charts/octopus-deploy/charts/mssql/templates/statefulset.yaml b/charts/octopus-deploy/charts/mssql/templates/statefulset.yaml index ff3433cd..3bdbae30 100644 --- a/charts/octopus-deploy/charts/mssql/templates/statefulset.yaml +++ b/charts/octopus-deploy/charts/mssql/templates/statefulset.yaml @@ -19,6 +19,7 @@ spec: labels: {{- include "mssql.selectorLabels" . | nindent 8 }} spec: + serviceAccountName: {{ template "mssql.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- with .Values.nodeSelector }} @@ -41,6 +42,10 @@ spec: - cp /var/opt/config/mssql.conf /var/opt/mssql/mssql.conf && /opt/mssql/bin/sqlservr image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} ports: - containerPort: {{ .Values.containers.ports.containerPort}} env: diff --git a/charts/octopus-deploy/charts/mssql/values.yaml b/charts/octopus-deploy/charts/mssql/values.yaml index 850c6557..df8a9ad8 100644 --- a/charts/octopus-deploy/charts/mssql/values.yaml +++ b/charts/octopus-deploy/charts/mssql/values.yaml @@ -14,6 +14,22 @@ podAnnotations: {} podSecurityContext: fsGroup: 10001 + seccompProfile: + type: RuntimeDefault +containerSecurityContext: + runAsUser: 10001 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE service: - port: 1433 \ No newline at end of file + port: 1433 + +serviceAccount: + create: true + automountServiceAccountToken: false + annotations: {} + labels: {} \ No newline at end of file diff --git a/charts/octopus-deploy/values-rorfsexample.yaml b/charts/octopus-deploy/values-rorfsexample.yaml index 75db98f2..28b02332 100644 --- a/charts/octopus-deploy/values-rorfsexample.yaml +++ b/charts/octopus-deploy/values-rorfsexample.yaml @@ -54,16 +54,6 @@ octopus: mountPath: /Octopus/.diagnostics sizeLimit: "100Mi" - podSecurityContext: - fsGroup: 999 - fsGroupChangePolicy: OnRootMismatch - - containerSecurityContext: - runAsNonRoot: true - runAsGroup: 999 - runAsUser: 999 - readOnlyRootFilesystem: true - serverConfigurationDirectory: /home/octopus/.local mssql: diff --git a/charts/octopus-deploy/values.yaml b/charts/octopus-deploy/values.yaml index 6526bb93..02019a9a 100644 --- a/charts/octopus-deploy/values.yaml +++ b/charts/octopus-deploy/values.yaml @@ -178,11 +178,18 @@ octopus: - watch - list # Pod security context settings - podSecurityContext: {} + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault # Container security context settings # IMPORTANT: When enableDockerInDocker is true (default), the container must run as privileged. # If setting security contexts that conflict with privileged mode, set enableDockerInDocker to false. - containerSecurityContext: {} + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL # Custom directory for Octopus server configuration when using non-root security contexts serverConfigurationDirectory: From 435d9c6a868ee678df2183a3d5424f70777e5f13 Mon Sep 17 00:00:00 2001 From: oleksandr-codefresh Date: Tue, 5 May 2026 09:40:15 +0300 Subject: [PATCH 2/2] mssql: Ensure podSecurityContext enforces non-root user execution --- charts/octopus-deploy/charts/mssql/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/octopus-deploy/charts/mssql/values.yaml b/charts/octopus-deploy/charts/mssql/values.yaml index df8a9ad8..d80aa30a 100644 --- a/charts/octopus-deploy/charts/mssql/values.yaml +++ b/charts/octopus-deploy/charts/mssql/values.yaml @@ -13,6 +13,7 @@ containers: podAnnotations: {} podSecurityContext: + runAsNonRoot: true fsGroup: 10001 seccompProfile: type: RuntimeDefault