Backport of do not set securityContext on Openshift < 4.11 (#2678) by pglass · Pull Request #2705 · hashicorp/consul-k8s

pglass · 2023-08-01T13:34:34Z

Backport of #2678 to release/1.0.x

Changes proposed in this PR:

This is going into release/1.1.x, and will be backported into release/1.0.x because both of those Consul K8s versions support K8s < 1.23.x and therefore support OpenShift <= 4.10
Do not set securityContext on OpenShift < 4.11 because the restricted SCC disallows setting some of those settings. I broke this in Support running with restricted PSA enforcement enabled (part 1) #2572. In OpenShift >= 4.11, setting the securityContext is okay because the new restricted-v2 SCC is available to all users/accounts and allows setting the fields we want to set, and doing so avoids warnings.
We determine the OpenShift version in Helm using the Kube version because there is a 1:1 mapping of OpenShift to Kube versions.

How I've tested this PR:

Ran the connect tests with openshift enabled against 4.10 and 4.11 OpenShift clusters, using instructions similar to those in the description of Support running with restricted PSA enforcement enabled (part 1) #2572

How I expect reviewers to test this PR:

👀

curtbushko

LGTM!

Do not set securityContext on Openshift < 4.11 (#2678)

3606562

pglass added the pr/no-backport signals that a PR will not contain a backport label label Aug 1, 2023

pglass requested a review from curtbushko August 1, 2023 17:12

curtbushko approved these changes Aug 2, 2023

View reviewed changes

pglass merged commit 4a9c2ef into release/1.0.x Aug 2, 2023

pglass deleted the backport/NET-185/fix-psa-openshift-10x branch August 2, 2023 19:41

skpratt added the theme/openshift label Aug 8, 2023

Provide feedback