Skip to content

feat(plugin-barman-cloud): add possiblity to turn off securityContext on pod- and container level #740

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(plugin-barman-cloud): add possiblity to turn off securityContext on pod- and container level #740

wants to merge 1 commit into from
+26 −4

Conversation

@Pidu2
Copy link

@Pidu2 Pidu2 commented Nov 27, 2025

This PR addresses the requirements of #673.

In an OpenShift environment, you usually do not want to set runAsUser or runAsGroup to something specific, instead it is chosen automatically by the cluster to a random value. Also, any other SecurityContext Values of the Pods will automatically be set to secure defaults (allowPrivilegeEscalation: false etc.).

It is therefore usually best to just not set it at all.

With this change, containerSecurityContext.enabled and podSecurityContext.enabled can be set to false to stop rendering out these fields completely.

In #673 it was proposed to just remove the required setting for runAsUser or runAsGroup. If this is considered preferred to my solution, I can adjust the PR accordingly.

@dosubot dosubot bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Nov 27, 2025
@Reamer
Copy link

Reamer commented Dec 1, 2025

I don't think this is a good solution for #673.
We should change the schema so that null values are allowed for runAs* and not remove the entire security settings.

Most settings are the default under Openshift. However, readOnlyRootFilesystem: true is not, which is omitted with this change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fcanovai fcanovai Awaiting requested review from fcanovai fcanovai is a code owner

@gbartolini gbartolini Awaiting requested review from gbartolini gbartolini is a code owner

@leonardoce leonardoce Awaiting requested review from leonardoce leonardoce is a code owner

@mnencia mnencia Awaiting requested review from mnencia mnencia is a code owner

@phisco phisco Awaiting requested review from phisco phisco is a code owner

@sxd sxd Awaiting requested review from sxd sxd is a code owner

@itay-grudev itay-grudev Awaiting requested review from itay-grudev itay-grudev is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Pidu2 @Reamer