runAsUser SecurityContext not working for windows

Signed-off-by: Dani Louca <[email protected]>
signalfx · May 30, 2023 · 9c5208b · 9c5208b
1 parent fdb574c
commit 9c5208b
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 8 deletions.
diff --git a/helm-charts/splunk-otel-collector/templates/_helpers.tpl b/helm-charts/splunk-otel-collector/templates/_helpers.tpl
@@ -428,3 +428,16 @@ Whether clusterReceiver should be enabled
 {{- $clusterReceiver := fromYaml (include "splunk-otel-collector.clusterReceiver" .) }}
 {{- and $clusterReceiver.enabled (or (eq (include "splunk-otel-collector.metricsEnabled" .) "true") (eq (include "splunk-otel-collector.objectsOrEventsEnabled" .) "true")) -}}
 {{- end -}}
+
+
+{{/*
+Build the securityContext for Linux and Windows
+*/}}
+{{- define "splunk-otel-collector.securityContext" -}}
+{{- if .isWindows }}
+{{- $_ := unset .securityContext "runAsUser" }}
+{{- else if and (eq (toString .securityContext.runAsUser) "<nil>") (.setRunAsUser) }}
+{{- $_ := set .securityContext "runAsUser" 0 }}
+{{- end }}
+{{- toYaml .securityContext }}
+{{- end -}}
diff --git a/helm-charts/splunk-otel-collector/templates/daemonset.yaml b/helm-charts/splunk-otel-collector/templates/daemonset.yaml
@@ -251,11 +251,7 @@ spec:
         imagePullPolicy: {{ .Values.image.otelcol.pullPolicy }}
         {{- if or $agent.securityContext (and (eq (include "splunk-otel-collector.logsEnabled" $) "true") (eq .Values.logsEngine "otel")) }}
         securityContext:
-          {{- if $agent.securityContext }}
-          {{- toYaml $agent.securityContext | nindent 10 }}
-          {{- else }}
-          runAsUser: 0
-          {{- end }}
+          {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $agent.securityContext "setRunAsUser" true) | nindent 10 }}
         {{- end }}
         env:
           - name: SPLUNK_MEMORY_TOTAL_MIB

diff --git a/helm-charts/splunk-otel-collector/templates/deployment-cluster-receiver.yaml b/helm-charts/splunk-otel-collector/templates/deployment-cluster-receiver.yaml
@@ -79,7 +79,7 @@ spec:
       {{- end }}
       {{- if $clusterReceiver.securityContext }}
       securityContext:
-        {{ toYaml $clusterReceiver.securityContext | nindent 8 }}
+        {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $clusterReceiver.securityContext) | nindent 8 }}
       {{- end }}
       {{- if eq (include "splunk-otel-collector.distribution" .) "eks/fargate" }}
       initContainers:

diff --git a/helm-charts/splunk-otel-collector/templates/deployment-gateway.yaml b/helm-charts/splunk-otel-collector/templates/deployment-gateway.yaml
@@ -59,7 +59,7 @@ spec:
       {{- end }}
       {{- if $gateway.securityContext }}
       securityContext:
-        {{ toYaml $gateway.securityContext | nindent 8 }}
+        {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $gateway.securityContext) | nindent 8 }}
       {{- end }}
       containers:
       - name: otel-collector

diff --git a/helm-charts/splunk-otel-collector/templates/revert-patch-log-dirs-hook.yaml b/helm-charts/splunk-otel-collector/templates/revert-patch-log-dirs-hook.yaml
@@ -1,4 +1,4 @@
-{{- if or (and (.Values.fluentd.securityContext.runAsUser) (.Values.fluentd.securityContext.runAsGroup)) (and (.Values.agent.securityContext.runAsUser) (.Values.agent.securityContext.runAsGroup)) }}
+{{- if or (and (.Values.fluentd.securityContext.runAsUser) (.Values.fluentd.securityContext.runAsGroup) (not .Values.isWindows) ) (and (.Values.agent.securityContext.runAsUser) (.Values.agent.securityContext.runAsGroup) (not .Values.isWindows) ) }}
 apiVersion: v1
 kind: Pod
 metadata: