add suggested SCC settings and add section to README

localstack · Oct 8, 2024 · 0894f4b · 0894f4b
1 parent 0d74cf8
commit 0894f4b
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 38 deletions.
diff --git a/README.md b/README.md
@@ -82,6 +82,40 @@ Useful Helm Client Commands:
 * Install a chart: `helm install <name> localstack/<chart>`
 * Upgrade your application: `helm upgrade`
 
+### Using the chart in OpenShift
+
+Running LocalStack on OpenShift requires specific Security Context Constraints (SCC) to be applied to ensure proper deployment and operation.
+In the OpenShift Container Platform, you can use SCCs to control permissions for the pods in your cluster.
+
+Default SCCs are created during installation and when you install some Operators or other components. As a cluster administrator,
+you can also create your own SCCs.
+
+The cluster contains several default security context constraints (SCCs). The available Security Context Constraints are:
+
+* anyuid
+* hostaccess
+* hostmount-anyuid
+* hostnetwork
+* node-exporter
+* nonroot
+* privileged
+* restricted
+
+Example:
+
+
+```yaml
+role:
+  create: true
+
+scc:
+  resourceNames:
+    - privileged
+    - hostnetwork
+```
+
+For a more comprehensive overview, see the official SCC documentation: [OpenShift SCCs](https://docs.openshift.com/container-platform/4.16/authentication/managing-security-context-constraints.html)
+
 ## Change Log
 
 Please refer to [GitHub releases](https://github.com/localstack/helm-charts/releases) to see the complete list of changes for each release.

diff --git a/charts/localstack/templates/NOTES.txt b/charts/localstack/templates/NOTES.txt
@@ -20,8 +20,3 @@
   echo "visit http://127.0.0.1:8080 to use your application"
   kubectl --namespace {{ .Release.Namespace | quote }} port-forward $POD_NAME 8080:$CONTAINER_PORT
 {{- end }}
-{{- if and .Values.openshift .Values.route.enabled }}
-  export ROUTE_URL=$(oc get route localstack-fork --namespace "localstack" -o jsonpath="{.spec.host}")
-  echo http://$ROUTE_URL
-  echo "visit http://$ROUTE_URL to use your application"
-{{- end }}
diff --git a/charts/localstack/templates/role.yaml b/charts/localstack/templates/role.yaml
@@ -19,10 +19,12 @@ rules:
 - apiGroups: [""]
   resources: ["services"]
   verbs: ["get", "list"]
-{{- if .Values.openshift }}
+{{- if .Values.scc }}
 - apiGroups: ["security.openshift.io"]
   resources: ["securitycontextconstraints"]
-  resourceNames: ["anyuid"]
+  resourceNames:
+    {{- range .Values.scc.resourceNames }}
+    - {{ . | quote }}
   verbs: ["use"]
 {{- end }}
 {{- end }}
diff --git a/charts/localstack/templates/route.yaml b/charts/localstack/templates/route.yaml
diff --git a/charts/localstack/values.yaml b/charts/localstack/values.yaml
@@ -19,10 +19,6 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
-## OpenShift.  When set to 'true' it will add SecurityContextConstraings (SCC)
-## to the role
-openshift: false
-
 ## @param extraDeploy Extra objects to deploy (value evaluated as a template)
 ##
 extraDeploy: []
@@ -49,6 +45,13 @@ role:
   # If not set and create is true, a name is generated using the fullname template
   name: ""
 
+## OpenShift Security Context Constraints.  When set to 'true' it will add SecurityContextConstraings (SCC)
+## to the role
+scc:
+  resourceNames:
+    - anyuid
+    - nonroot
+
 podLabels: {}
 
 podAnnotations: {}
@@ -159,12 +162,6 @@ ingress:
   #    hosts:
   #      - chart-example.local
 
-## Create a Route resource if using OpenShift
-## Defaults to the 'edge' port of the service on 4566
-route:
-  enabled: false
-  port: edge
-
 persistence:
   ## @param persistence.enabled Enable persistence using Persistent Volume Claims
   ##