Unable to address the helm chart issues reported by the static code analysis

[alita1991]

Hi,

Today, I decided to scan the verticadb-operator helm chart for any possible issue with kube-score and kube-linter and got the following issues:

[CRITICAL] verticadb-operator-manager/default apps/v1/Deployment: (manager) The container is running with a low user ID
[CRITICAL] verticadb-operator-manager/default apps/v1/Deployment: (manager) The container running with a low group ID
[CRITICAL] verticadb-operator-manager/default apps/v1/Deployment: (manager) ImagePullPolicy is not set to Always
[CRITICAL] verticadb-operator-manager/default apps/v1/Deployment: The pod does not have a matching NetworkPolicy
[CRITICAL] verticadb-operator-manager/default apps/v1/Deployment: (manager) Ephemeral Storage limit is not set
[CRITICAL] verticadb-operator-manager/default apps/v1/Deployment: (manager) Ephemeral Storage request is not set

From what I investigated so far, the securityContext (pod + container) is not exposed currently, and I'm unable to configure those via configuration.

Is there any plan to expose the important fields for each resource?

Thank you

[qindotguan]

We do support Vertica server container securityContext in the spec. Can you try the configurations below?

spec:
  ...
  securityContext:
    privileged: true

And also the pod-level security context:

spec:
  ...
  podSecurityContext:
    runAsUser: 3500
    runAsGroup: 3500
  ...

For more details, you can search securityContext in this page:
https://docs.vertica.com/24.4.x/en/containerized/custom-resource-definition-parameters/

[roypaulin]

[CRITICAL] verticadb-operator-manager/default apps/v1/Deployment: (manager) The container is running with a low user ID
[CRITICAL] verticadb-operator-manager/default apps/v1/Deployment: (manager) The container running with a low group ID

This scan does not take the container(Dockerfile) into account. The base image is gcr.io/distroless/static:nonroot, which does not include a root user. The container will use a default non-root user with UID and GID set to 65532. See docker-operator/Dockerfile

[roypaulin]

[CRITICAL] verticadb-operator-manager/default apps/v1/Deployment: (manager) ImagePullPolicy is not set to Always

This is more like a choice to not pull the image each time.

[roypaulin]

[CRITICAL] verticadb-operator-manager/default apps/v1/Deployment: (manager) Ephemeral Storage limit is not set
[CRITICAL] verticadb-operator-manager/default apps/v1/Deployment: (manager) Ephemeral Storage request is not set

Yes, it is a good practice to set ephemeral storage for Kubernetes operator pods. We did not because the operator doesn't rely on local disk storage, it only reconciles states.

[roypaulin]

[CRITICAL] verticadb-operator-manager/default apps/v1/Deployment: The pod does not have a matching NetworkPolicy

We don't necessarily need one because the operator does not need to communicate with other pods and is in an isolated environment.

[alita1991]

We do support Vertica server container securityContext in the spec. Can you try the configurations below?

spec:
  ...
  securityContext:
    privileged: true

And also the pod-level security context:

spec:
  ...
  podSecurityContext:
    runAsUser: 3500
    runAsGroup: 3500
  ...

For more details, you can search securityContext in this page: https://docs.vertica.com/24.4.x/en/containerized/custom-resource-definition-parameters/

Is there any plan to expose the securityContext and podSecurityContext for the operator as well?