Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This MR is based on the my experience of running Aqua scanners in an OpenShift environment. This is back porting the fixes we have implemented in our clusters including production clusters.
Issues addressed
OpenShift security context doesn't allow for PVC for Aqua Scanner.
Due to having a separate PVC associated with the Statefulset with a fixed name, the current charts limits to only one scanner with persistence if your storage is only capable of ReadWriteOnce.
It isn't possible to add volumes and mount points potentially necessary for other tools to cooperate for the scanners.
Solutions
For the first problem, adding
persistentVolumeClaim
to theSecurityContextConstraints
.For the last problem, 2 additional variables have been created and mapped appropriately to both
volumes
andvolumeMounts
, calledadditionalVolumes
andaddtionalVolumeMounts
respectively, e.g. #691For the main problem, reverted change that resulted in the removal of the
volumeMountTemplate
in the case whereaccessMode
isReadWriteOnce
andreplicaCount
is greater than 1. UsingvolumeMountTemplate
in this way creates a unique pvc per scanner, getting around the limitation of storage that can only have one pod at a time have write access.