Helm is failing in openshift , due to security context error

Question

We are deploying helm chart in openshift cluster , we are getting below error , can some one suggest fix for the below issue

is forbidden: unable to validate against any security context constraint: [provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{999}: 999 is not an allowed group spec.containers[0].securityContext.runAsUser: Invalid value: 999: must be in the ranges: [1000640000, 1000649999]]",

deployment file :

pec: serviceAccountName: {{ template "mongodb.fullname" . }} securityContext: runAsNonRoot: true runAsUser: {{ .Values.mongo.securityContext.uid | default 999 }} runAsGroup: {{ .Values.mongo.securityContext.gid | default 999 }} fsGroup: {{ .Values.mongo.securityContext.fsGroup | default 999 }}

securityContext: gid: 999 uid: 999 fsGroup: 999

Answer 1

This is not Helm that is failing, this is the application you are deploying via helm that tries to create manifest that are not allowed in OCP. Please change the title of this post.

In your case, you try to deploy something that forcesrunAsUserand fsGroup uid/gid.
By default, this is not allowed in OCP for security reason

There are many ways to fix this depending on how much you are comfortable with less security. Check your chart config parameters to not force those values if possible, or, for example, tell OCP that the app you are deploying is allowed to force those values by, for exaemple, linking a more relaxed security constraint to the service account that runs the app

Doc here https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html