OpenShift Configuration
Openshift is designed to use a randomly generated user ID and group ID (UID/GID) for the runAsUser and fsGroup fields of the pod- and container-level security contexts.
By default, the security contexts in the chart use values corresponding to the user and group IDs under which the product runs. You can unset the fsGroup and runAsUser securityContext fields in your custom values, allowing OpenShift to set them as expected.
Unset fsGroup and runAsUser at the Pod Level
In the global section of the values.yaml file, add the following stanza:
global:
workload:
securityContext:
fsGroup: null
runAsUser: nullThis will unset fsGroup and runAsUser in the pod-level security context. Pods that require initContainers will have to also unset runAsUser in the container-level security context.
initContainers: Unset runAsUser at the Container Level
Some of the product deployments use initContainers for various operations, such as waiting for other services to be available or configuration actions. These containers, while part of the workload, have the security context set at the container level, not the pod level. The values listed above apply only to the pod-level security context. To unset runAsUser for any pingtoolkit initContainers so Openshift can take over, also add the following stanza:
global:
externalImage:
pingtoolkit:
securityContext:
runAsUser: nullFor example, here is a complete block for configuring pingaccess-admin with a waitFor initContainer:
global:
workload:
securityContext:
fsGroup: null
runAsUser: null
externalImage:
pingtoolkit:
securityContext:
runAsUser: null
pingaccess-admin:
enabled: true
privateCert:
generate: true
envs:
SERVER_PROFILE_URL: https://github.com/pingidentity/pingidentity-server-profiles.git
SERVER_PROFILE_PATH: baseline/pingaccess
container:
waitFor:
pingfederate-engine:
service: https
timeoutSeconds: 300