diff --git a/helm-charts/splunk-otel-collector/templates/NOTES.txt b/helm-charts/splunk-otel-collector/templates/NOTES.txt index 560f204c0e..f565532916 100644 --- a/helm-charts/splunk-otel-collector/templates/NOTES.txt +++ b/helm-charts/splunk-otel-collector/templates/NOTES.txt @@ -73,6 +73,3 @@ Splunk Network Explorer is installed and configured. [WARNING] "clusterReceiver.eventsEnabled" parameter is deprecated. Soon it will be replaced with "clusterReceiver.k8sObjects". Upgrade guidelines: https://github.com/signalfx/splunk-otel-collector-chart/blob/main/UPGRADING.md#$CURRENT_VERSION-to-$NEXT_VERSION {{ end }} -{{- if and (ne .Values.distribution "openshift") (not (empty .Values.securityContextConstraintsOverwrite)) }} -[WARNING] "securityContextConstraintsOverwrite" paramter should be only used when distribution=openshift. -{{ end }} diff --git a/helm-charts/splunk-otel-collector/templates/_helpers.tpl b/helm-charts/splunk-otel-collector/templates/_helpers.tpl index fd7de5dd9f..0fa18e1562 100644 --- a/helm-charts/splunk-otel-collector/templates/_helpers.tpl +++ b/helm-charts/splunk-otel-collector/templates/_helpers.tpl @@ -421,43 +421,3 @@ Whether clusterReceiver should be enabled {{- $clusterReceiver := fromYaml (include "splunk-otel-collector.clusterReceiver" .) }} {{- and $clusterReceiver.enabled (or (eq (include "splunk-otel-collector.metricsEnabled" .) "true") (eq (include "splunk-otel-collector.objectsOrEventsEnabled" .) "true")) -}} {{- end -}} - - -{{/* - -*/}} -{{- define "splunk-otel-collector.defaultSecurityContextConstraints" -}} -priority: 10 -allowHostNetwork: true -allowHostPorts: true -allowHostPID: true -allowHostDirVolumePlugin: true -allowHostIPC: false -allowPrivilegedContainer: false -volumes: -- configMap -- downwardAPI -- emptyDir -- hostPath -- secret -# Allow podman/crio socket and /proc access -seLinuxContext: - type: MustRunAs - seLinuxOptions: - user: "system_u" - role: "system_r" - type: "spc_t" - level: "s0" -allowedFlexVolumes: [] -allowedCapabilities: [] -defaultAddCapabilities: [] -fsGroup: - type: MustRunAs -readOnlyRootFilesystem: true -runAsUser: - type: RunAsAny -supplementalGroups: - type: RunAsAny -requiredDropCapabilities: -- ALL -{{- end -}} diff --git a/helm-charts/splunk-otel-collector/templates/securityContextConstraints.yaml b/helm-charts/splunk-otel-collector/templates/securityContextConstraints.yaml index 3ffc4fa825..4cde2aee40 100644 --- a/helm-charts/splunk-otel-collector/templates/securityContextConstraints.yaml +++ b/helm-charts/splunk-otel-collector/templates/securityContextConstraints.yaml @@ -1,3 +1,38 @@ +{{- define "splunk-otel-collector.defaultSecurityContextConstraints" -}} +priority: 10 +allowHostNetwork: true +allowHostPorts: true +allowHostPID: true +allowHostDirVolumePlugin: true +allowHostIPC: false +allowPrivilegedContainer: false +volumes: +- configMap +- downwardAPI +- emptyDir +- hostPath +- secret +# Allow podman/crio socket and /proc access +seLinuxContext: + type: MustRunAs + seLinuxOptions: + user: "system_u" + role: "system_r" + type: "spc_t" + level: "s0" +allowedFlexVolumes: [] +allowedCapabilities: [] +defaultAddCapabilities: [] +fsGroup: + type: MustRunAs +readOnlyRootFilesystem: true +runAsUser: + type: RunAsAny +supplementalGroups: + type: RunAsAny +requiredDropCapabilities: +- ALL +{{- end -}} {{- if eq (include "splunk-otel-collector.distribution" .) "openshift" }} kind: SecurityContextConstraints apiVersion: security.openshift.io/v1