diff --git a/README.md b/README.md index 185df64..08a5b3e 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,38 @@ Useful Helm Client Commands: * Install a chart: `helm install localstack/` * Upgrade your application: `helm upgrade` +### Using the chart in OpenShift + +Running LocalStack on OpenShift requires specific Security Context Constraints (SCC) to be applied to ensure proper deployment and operation. +In the OpenShift Container Platform, you can use SCCs to control permissions for the pods in your cluster. + +Default SCCs are created during installation and when you install some Operators or other components. As a cluster administrator, +you can also create your own SCCs. + +The cluster contains several default security context constraints (SCCs). The available Security Context Constraints are: + +* anyuid +* hostaccess +* hostmount-anyuid +* hostnetwork +* node-exporter +* nonroot +* privileged +* restricted + +Example: + +```yaml +role: + extraRoles: + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["anyuid"] + verbs: ["use"] +``` + +For a more comprehensive overview, see the official SCC documentation: [OpenShift SCCs](https://docs.openshift.com/container-platform/4.16/authentication/managing-security-context-constraints.html) + ## Change Log Please refer to [GitHub releases](https://github.com/localstack/helm-charts/releases) to see the complete list of changes for each release. diff --git a/charts/localstack/templates/NOTES.txt b/charts/localstack/templates/NOTES.txt index 3132aae..0de1c44 100644 --- a/charts/localstack/templates/NOTES.txt +++ b/charts/localstack/templates/NOTES.txt @@ -17,6 +17,6 @@ {{- else if contains "ClusterIP" .Values.service.type }} export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace | quote }} -l "app.kubernetes.io/name={{ include "localstack.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace | quote }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - echo "Visit http://127.0.0.1:8080 to use your application" + echo "visit http://127.0.0.1:8080 to use your application" kubectl --namespace {{ .Release.Namespace | quote }} port-forward $POD_NAME 8080:$CONTAINER_PORT {{- end }} diff --git a/charts/localstack/templates/role.yaml b/charts/localstack/templates/role.yaml index 4c8587d..3abc6b0 100644 --- a/charts/localstack/templates/role.yaml +++ b/charts/localstack/templates/role.yaml @@ -19,4 +19,8 @@ rules: - apiGroups: [""] resources: ["services"] verbs: ["get", "list"] +{{- if .Values.role.extraRoles }} +{{ include "common.tplvalues.render" (dict "value" .Values.role.extraRoles "context" $) }} {{- end }} +{{- end }} + diff --git a/charts/localstack/test-values.yaml b/charts/localstack/test-values.yaml index 3c7a456..5c42114 100644 --- a/charts/localstack/test-values.yaml +++ b/charts/localstack/test-values.yaml @@ -57,3 +57,11 @@ ingress: # enable kubernetes lambda executor (only pro) # lambda: # executor: "kubernetes" + +# add extra roles for OpenShift +# role: +# extraRoles: +# - apiGroups: ["security.openshift.io"] +# resources: ["securitycontextconstraints"] +# resourceNames: ["anyuid"] +# verbs: ["use"] \ No newline at end of file