From 66fea963e1d28515765415810b83d576b4336db7 Mon Sep 17 00:00:00 2001 From: Prashanth K Nalubandhu Date: Tue, 7 Jul 2026 14:31:24 -0400 Subject: [PATCH 1/2] Document securityContext for OpenShift upgrade hook jobs The pre/post-upgrade hook jobs (e.g. app-rename, which runs on Weave enable) default to UID 999 and get rejected by restricted-v2, failing the upgrade and leaving the CR stuck in Loading. Document setting their podSecurityContext to the project UID range, same as the main components. --- platform/hosting/self-managed/operator.mdx | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/platform/hosting/self-managed/operator.mdx b/platform/hosting/self-managed/operator.mdx index a40d197787..3d24bba9d9 100644 --- a/platform/hosting/self-managed/operator.mdx +++ b/platform/hosting/self-managed/operator.mdx @@ -98,6 +98,23 @@ api: If needed, configure a custom security context for other components like `app` or `console`. For details, see [Custom security context](#custom-security-context). +#### Upgrade hook jobs + +The operator runs `pre-upgrade` and `post-upgrade` hook Jobs during upgrades (for example, the app-rename hook that also runs when you enable Weave). These hook pods default to UID 999 like the main components, so on OpenShift `restricted-v2` rejects them — which makes the Helm upgrade fail and can leave the custom resource stuck in `Loading`. Give the hook jobs the same UID-range security context: + +```yaml +appRenamePreHook: + podSecurityContext: + runAsUser: 1000810000 # a value within your project's UID range + runAsGroup: 0 + fsGroup: 1000810000 +appRenamePostHook: + podSecurityContext: + runAsUser: 1000810000 + runAsGroup: 0 + fsGroup: 1000810000 +``` + ## Deploy W&B Server application From f8731ec785ff242aa70d496677f13feabd7e218d Mon Sep 17 00:00:00 2001 From: John Mulhausen Date: Thu, 9 Jul 2026 12:57:15 -0400 Subject: [PATCH 2/2] Polish added content per Google Developer Style Guide --- platform/hosting/self-managed/operator.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/hosting/self-managed/operator.mdx b/platform/hosting/self-managed/operator.mdx index 3d24bba9d9..67e3643981 100644 --- a/platform/hosting/self-managed/operator.mdx +++ b/platform/hosting/self-managed/operator.mdx @@ -100,7 +100,7 @@ If needed, configure a custom security context for other components like `app` o #### Upgrade hook jobs -The operator runs `pre-upgrade` and `post-upgrade` hook Jobs during upgrades (for example, the app-rename hook that also runs when you enable Weave). These hook pods default to UID 999 like the main components, so on OpenShift `restricted-v2` rejects them — which makes the Helm upgrade fail and can leave the custom resource stuck in `Loading`. Give the hook jobs the same UID-range security context: +The operator runs `pre-upgrade` and `post-upgrade` hook jobs during upgrades (for example, the app-rename hook that also runs when you enable Weave). These hook pods default to UID 999 like the main components, so on OpenShift, `restricted-v2` rejects them. This rejection makes the Helm upgrade fail and can leave the custom resource stuck in `Loading`. Give the hook jobs the same UID-range security context: ```yaml appRenamePreHook: