From 5236696b8f6f48200a7cdecec9045a9e123a361a Mon Sep 17 00:00:00 2001 From: aleksrosz Date: Wed, 29 Apr 2026 11:32:00 +0200 Subject: [PATCH 1/2] feat: add OpenShift SecurityContextConstraints configuration --- dist/chart/templates/scc/clickhouse-scc.yaml | 54 ++++++++++++++++++++ dist/chart/values.yaml | 6 +++ 2 files changed, 60 insertions(+) create mode 100644 dist/chart/templates/scc/clickhouse-scc.yaml diff --git a/dist/chart/templates/scc/clickhouse-scc.yaml b/dist/chart/templates/scc/clickhouse-scc.yaml new file mode 100644 index 00000000..fe5d44d6 --- /dev/null +++ b/dist/chart/templates/scc/clickhouse-scc.yaml @@ -0,0 +1,54 @@ +{{- if .Values.openshift.scc.enabled }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: SCC denies access to all host features and + requires pods to be run with a UID, and SELinux context. Allows capabilities needed by ClickHouse Keeper + name: clickhouse-keeper-scc +priority: null +readOnlyRootFilesystem: false +defaultAddCapabilities: null +fsGroup: + ranges: + - max: 65534 + min: 100 + type: MustRunAs +groups: [] +requiredDropCapabilities: + - ALL +runAsUser: + type: MustRunAsRange + uidRangeMin: 100 + uidRangeMax: 65534 +seLinuxContext: + type: MustRunAs +seccompProfiles: + - runtime/default +supplementalGroups: + ranges: + - max: 65534 + min: 100 + type: MustRunAs +volumes: + - configMap + - csi + - downwardAPI + - emptyDir + - ephemeral + - persistentVolumeClaim + - projected + - secret +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: + - NET_BIND_SERVICE + - IPC_LOCK + - PERFMON + - SYS_PTRACE +{{- end }} diff --git a/dist/chart/values.yaml b/dist/chart/values.yaml index 5709e3df..de7fa6dd 100644 --- a/dist/chart/values.yaml +++ b/dist/chart/values.yaml @@ -164,6 +164,12 @@ prometheus: # Requires prometheus-operator to be installed in the cluster. service_monitor: false +## OpenShift specific configurations +## +openshift: + scc: + # Enable creating SecurityContextConstraints for OpenShift + enabled: false # Extra manifests to deploy as an array extraManifests: [] From 63fbad9d2f5746716573a0f9278d4f0557915ff8 Mon Sep 17 00:00:00 2001 From: aleksrosz Date: Wed, 29 Apr 2026 11:48:07 +0200 Subject: [PATCH 2/2] fix: update SecurityContextConstraints name for ClickHouse Keeper --- dist/chart/templates/scc/clickhouse-scc.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dist/chart/templates/scc/clickhouse-scc.yaml b/dist/chart/templates/scc/clickhouse-scc.yaml index fe5d44d6..fb9d88a5 100644 --- a/dist/chart/templates/scc/clickhouse-scc.yaml +++ b/dist/chart/templates/scc/clickhouse-scc.yaml @@ -4,8 +4,8 @@ kind: SecurityContextConstraints metadata: annotations: kubernetes.io/description: SCC denies access to all host features and - requires pods to be run with a UID, and SELinux context. Allows capabilities needed by ClickHouse Keeper - name: clickhouse-keeper-scc + requires pods to be run with a UID, and SELinux context. Allows capabilities needed by ClickHouse Keeper. + name: clickhouse-scc priority: null readOnlyRootFilesystem: false defaultAddCapabilities: null