[bitnami/grafana-operator] SecurityContext applied to initContainers into Grafana deployment

[robmonct]

Name and Version

bitnami/grafana-operator:4.8.0

What is the problem this feature will solve?

The problem is that there is no way to add SecurityContext to initContainers (grafana-plugins-init) for Grafana pods. There is a way to add containerSecurityContext and podSecurityContext but that is not applied to initContainers.

What is the feature you are proposing to solve the problem?

With this feature, we should be able to add securityContext also to initContainers.

What alternatives have you considered?

The easiest way in my honest opinion is add the option to overwrite the initContainers for Grafana pods like it is possible to do it for Grafana operator pods.

PR proposed: #14103

[carrodher]

Thanks for creating this issue and the associated PR, the team will review it and provide feedback as soon as possible (it will take longer than usual due to the holidays). This issue will be automatically closed once merge the PR.

[robmonct]

After testing the new version of the chart, this values.yaml is not overriding the deployment properly:

  grafana:
    containerSecurityContext:
      enabled: true
      allowPrivilegeEscalation: false
    initContainers:
     - name: grafana-plugins-init
       image: docker.io/bitnami/grafana:9.3.2-debian-11-r4
       imagePullPolicy: IfNotPresent
       resources:
         limits:
           cpu: "1"
           memory: 512Mi
         requests:
           cpu: 250m
           memory: 128Mi
       securityContext:
         allowPrivilegeEscalation: false
         capabilities:
           drop:
           - ALL
         privileged: false
         readOnlyRootFilesystem: true
       env:
       - name: GRAFANA_PLUGINS
       volumeMounts:
       - mountPath: /opt/plugins
         name: grafana-plugins

The deployment that I can see is this:

  initContainers:
  - env:
    - name: GRAFANA_PLUGINS
    image: docker.io/bitnami/grafana:9.3.2-debian-11-r4
    imagePullPolicy: IfNotPresent
    name: grafana-plugins-init
    resources:
      limits:
        cpu: "1"
        memory: 512Mi
      requests:
        cpu: 250m
        memory: 128Mi
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /opt/plugins
      name: grafana-plugins
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-d7vwl
      readOnly: true

Maybe should great to be able to disable the grafana-plugin-init initContainer if there is no Grafana plugins to install.

[migruiz4]

Hi @robmonct,

After some further research on this issue, I was able to find several issues causing this, one on our chart and severalin the upstream grafana-operator project

Starting with our side, we are setting spec.initContainers when it is supposed to be spec.deployment.initContainers according to the Grafana Operator CRD.

Then, Grafana Operator has several issues affecting initContainers:

• After fixing the issue in our chart, the CRD appears to be missing the definition of initContainers objects, causing the following issue:

  $ helm install test -f values.yaml ./bitnami/grafana-operator
  W0112 12:39:35.760001   74186 warnings.go:70] unknown field "spec.deployment.initContainers[0].env"
  W0112 12:39:35.760017   74186 warnings.go:70] unknown field "spec.deployment.initContainers[0].image"
  W0112 12:39:35.760022   74186 warnings.go:70] unknown field "spec.deployment.initContainers[0].imagePullPolicy"
  W0112 12:39:35.760025   74186 warnings.go:70] unknown field "spec.deployment.initContainers[0].name"
  W0112 12:39:35.760029   74186 warnings.go:70] unknown field "spec.deployment.initContainers[0].resources"
  W0112 12:39:35.760032   74186 warnings.go:70] unknown field "spec.deployment.initContainers[0].securityContext"
  W0112 12:39:35.760034   74186 warnings.go:70] unknown field "spec.deployment.initContainers[0].volumeMounts"
  Error: INSTALLATION FAILED: Grafana.integreatly.org "test-grafana-operator-grafana" is invalid: spec.deployment.initContainers[0].name: Required value

• Although I tried to workaround the issue with the CRD, the value deployment.initContainers does not really take effect, probably because the Grafana operator never takes it under consideration here: https://github.com/grafana-operator/grafana-operator/blob/755a9b8918f92969784f9545ab1218ad8ed5607d/controllers/model/grafanaDeployment.go#L623-L683
• The grafana-install-plugins is hardcoded and can't be disabled. Although the issue with securityContext missing was already addressed for the next release. Fix containerSecurityContext for init-container grafana/grafana-operator#861

[migruiz4]

I just noticed the value .spec.Deployment.initContainers is not part of the upstream CRD, but was instead added here: #14181

In order to support additional features, those features need to be added and released in the upstream project: https://github.com/grafana-operator/grafana-operator