OctopusDeploy · oleksandr-codefresh · May 5, 2026 · May 5, 2026 · ATGardner · May 5, 2026
@@ -147,13 +147,7 @@ A minimal set of writable paths for a read-only root filesystem is:
 ```yaml
 octopus:
   containerSecurityContext:
-    runAsNonRoot: true
-    runAsGroup: 999
-    runAsUser: 999
     readOnlyRootFilesystem: true
-  podSecurityContext:
-    fsGroup: 999
-    fsGroupChangePolicy: OnRootMismatch
 
   serverConfigurationDirectory: /home/octopus/.local
 
@@ -187,6 +181,35 @@ A complete working example including environment variable overrides for .NET too
 
 Note: `enableDockerInDocker` must be set to `false` when using a read-only root filesystem, as Docker-in-Docker requires a privileged, writable container.
 
+### Openshift
+If you are using build in mssql chart on Openshift with values:
-If you are using build in mssql chart on Openshift with values:
+If you are using built-in mssql chart on Openshift with values:
-If you are using build in mssql chart on Openshift with values:
+If you are using built-in mssql chart on Openshift with values:
+```
+mssql:
+  enabled: true
+```
+
+Our mssql has such default security contexts for mssql.
-Our mssql has such default security contexts for mssql.
+Our mssql has these default security context values:
-Our mssql has such default security contexts for mssql.
+Our mssql has these default security context values:
+
+```
+podSecurityContext:
+  fsGroup: 10001
+  seccompProfile:
+    type: RuntimeDefault
+containerSecurityContext: 
+  runAsUser: 10001
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+    add: 
+      - NET_BIND_SERVICE
+```
+
+As we're usign hardcoded UID and fsGroup in our `securityContext` you need to assign `nonroot-v2` SCC to allow the SQL Server SA to run:
+
+```oc adm policy add-scc-to-user nonroot-v2 -z octopus-deploy-mssql -n octopus-deploy```
+
+
 ### Ingress
 You'll likely want to allow external traffic to your Octopus instance, and this generally means configuring [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). 
 

@@ -50,3 +50,11 @@ this template will return sa_password - either from values or autogenerated
 {{- include "random_secret" (list . "sapassword") -}}
 {{- end -}}
 {{- end -}}
+
+{{- define "mssql.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+{{- default (printf "%s-mssql" (include "octopus.fullname" .)) .Values.serviceAccount.name -}}
+{{- else -}}
+default "default-mssql" .Values.serviceAccount.name
+{{- end -}}
+{{- end -}}
@@ -0,0 +1,16 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "labels" . | nindent 4 }}
+    {{- if .Values.serviceAccount.labels }}
+    {{- toYaml .Values.serviceAccount.labels | nindent 4 }}
+    {{- end }}
+  name: {{ template "mssql.serviceAccountName" . }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+{{- end -}}
@@ -19,6 +19,7 @@ spec:
       labels:
         {{- include "mssql.selectorLabels" . | nindent 8 }}
     spec:
+      serviceAccountName: {{ template "mssql.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       {{- with .Values.nodeSelector }}
@@ -41,6 +42,10 @@ spec:
             - cp /var/opt/config/mssql.conf /var/opt/mssql/mssql.conf && /opt/mssql/bin/sqlservr
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
           ports:
             - containerPort: {{ .Values.containers.ports.containerPort}}
           env:

@@ -13,7 +13,24 @@ containers:
 podAnnotations: {}
 
 podSecurityContext:
+  runAsNonRoot: true
   fsGroup: 10001
+  seccompProfile:
+    type: RuntimeDefault
+containerSecurityContext: 
+  runAsUser: 10001
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+    add: 
+      - NET_BIND_SERVICE
 
 service:
-  port: 1433
+  port: 1433
+
+serviceAccount:
+  create: true
+  automountServiceAccountToken: false
+  annotations: {}
+  labels: {}
@@ -54,16 +54,6 @@ octopus:
       mountPath: /Octopus/.diagnostics
       sizeLimit: "100Mi"
 
-  podSecurityContext:
-    fsGroup: 999
-    fsGroupChangePolicy: OnRootMismatch
-
-  containerSecurityContext:
-    runAsNonRoot: true
-    runAsGroup: 999
-    runAsUser: 999
-    readOnlyRootFilesystem: true
-
   serverConfigurationDirectory: /home/octopus/.local
 
 mssql:

@@ -178,11 +178,18 @@ octopus:
             - watch
             - list
   # Pod security context settings
-  podSecurityContext: {}
+  podSecurityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
   # Container security context settings
   # IMPORTANT: When enableDockerInDocker is true (default), the container must run as privileged.
   # If setting security contexts that conflict with privileged mode, set enableDockerInDocker to false.
-  containerSecurityContext: {}
+  containerSecurityContext: 
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
   # Custom directory for Octopus server configuration when using non-root security contexts
   serverConfigurationDirectory: