From 41ba586f424d80151c25632e1b361e8c4a7156d1 Mon Sep 17 00:00:00 2001 From: Prashanth K Nalubandhu Date: Mon, 6 Jul 2026 16:51:20 -0400 Subject: [PATCH 1/2] Fix OpenShift securityContext example in self-managed docs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The example puts the settings under `pod.securityContext`, but the chart reads `podSecurityContext` for the app/api pods, so runAsUser/fsGroup get ignored and the pods stay at UID 999 — which restricted-v2 rejects. Switched to `podSecurityContext`, set fsGroup too (not just the UID), and added how to find your project's UID range. Tested on OCP 4.21. --- platform/hosting/self-managed/operator.mdx | 33 +++++++++++++++------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/platform/hosting/self-managed/operator.mdx b/platform/hosting/self-managed/operator.mdx index a40d197787..14cad7c7ce 100644 --- a/platform/hosting/self-managed/operator.mdx +++ b/platform/hosting/self-managed/operator.mdx @@ -63,12 +63,19 @@ W&B recommends you install with the official W&B Helm chart. #### Run the container as an un-privileged user -OpenShift and similar orchestrators often reject containers that run as root, so W&B containers must be configured to run as a non-root user that still belongs to the root group. By default, containers use a `$UID` of 999. Specify `$UID` >= 100000 and a `$GID` of 0 if your orchestrator requires the container run with a non-root user. +OpenShift and similar orchestrators often reject containers that run as root, so W&B containers must be configured to run as a non-root user that still belongs to the root group. By default, containers use a `$UID` of 999. Specify a `runAsUser` and `fsGroup` **within your project's assigned UID range** and a `$GID` of 0 if your orchestrator requires the container run with a non-root user. W&B must start as the root group (`$GID=0`) for file system permissions to function properly. +Find your OpenShift project's assigned UID range and use the start of that range for both `runAsUser` and `fsGroup`: + +```bash +oc get namespace -o jsonpath='{.metadata.annotations.openshift\.io/sa\.scc\.uid-range}' +# e.g. 1000810000/10000 → use 1000810000 +``` + Configure security contexts for each W&B component. For example, to configure the API component: ```yaml @@ -77,15 +84,17 @@ api: image: repository: wandb/megabinary tag: 0.74.1 # Replace with your actual version - pod: - securityContext: - fsGroup: 10001 - fsGroupChangePolicy: Always - runAsGroup: 0 - runAsNonRoot: true - runAsUser: 10001 - seccompProfile: - type: RuntimeDefault + # Use the top-level `podSecurityContext` key. The nested `pod.securityContext` + # is NOT applied to runAsUser/fsGroup for these components, so pods would stay + # at the default UID 999 and be rejected by the `restricted-v2` SCC. + podSecurityContext: + fsGroup: 1000810000 # must be within your project's UID range + fsGroupChangePolicy: Always + runAsGroup: 0 + runAsNonRoot: true + runAsUser: 1000810000 # must be within your project's UID range + seccompProfile: + type: RuntimeDefault container: securityContext: allowPrivilegeEscalation: false @@ -96,6 +105,10 @@ api: readOnlyRootFilesystem: false ``` + +Both `runAsUser` **and** `fsGroup` must be set within the project's UID range. Setting only `runAsUser` leaves `fsGroup: 0`, which the `restricted-v2` SCC rejects with `fsGroup: Invalid value: [0]: 0 is not an allowed group`. + + If needed, configure a custom security context for other components like `app` or `console`. For details, see [Custom security context](#custom-security-context). ## Deploy W&B Server application From a7150a745b0bd34e013319a551ee09c9cfb3b827 Mon Sep 17 00:00:00 2001 From: Prashanth K Nalubandhu Date: Tue, 7 Jul 2026 11:08:19 -0400 Subject: [PATCH 2/2] Match the exact OpenShift fsGroup error string Review feedback: OpenShift emits Invalid value: []int64{0}, not [0], so quote the real string that readers can grep. --- platform/hosting/self-managed/operator.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/hosting/self-managed/operator.mdx b/platform/hosting/self-managed/operator.mdx index 14cad7c7ce..39480cdba0 100644 --- a/platform/hosting/self-managed/operator.mdx +++ b/platform/hosting/self-managed/operator.mdx @@ -106,7 +106,7 @@ api: ``` -Both `runAsUser` **and** `fsGroup` must be set within the project's UID range. Setting only `runAsUser` leaves `fsGroup: 0`, which the `restricted-v2` SCC rejects with `fsGroup: Invalid value: [0]: 0 is not an allowed group`. +Both `runAsUser` **and** `fsGroup` must be set within the project's UID range. Setting only `runAsUser` leaves `fsGroup: 0`, which the `restricted-v2` SCC rejects with `fsGroup: Invalid value: []int64{0}: 0 is not an allowed group`. If needed, configure a custom security context for other components like `app` or `console`. For details, see [Custom security context](#custom-security-context).