Skip to content

podSecurityContext and containerSecurityContext values fail with 'wrong type for value; expected string; got map' #99

New issue
New issue
Open
Open
podSecurityContext and containerSecurityContext values fail with 'wrong type for value; expected string; got map'#99
@mikhail-khodorovskiy

Description

@mikhail-khodorovskiy
mikhail-khodorovskiy
opened on Feb 11, 2026

Bug Description

When setting agent.podSecurityContext or agent.containerSecurityContext values, the helm chart fails to render with the error:

Error: template: container-agent/templates/deployment.yaml:37:70: executing "container-agent/templates/deployment.yaml" at <8>: wrong type for value; expected string; got map[string]interface {}

Steps to Reproduce

helm template circleci-runner circleci/container-agent \
  --namespace circleci \
  --set "agent.resourceClasses.myorg/my-runner.token=test-token" \
  --set "agent.podSecurityContext.runAsNonRoot=true" \
  --set "agent.podSecurityContext.runAsUser=1000"
Or with a values file:


agent:
  podSecurityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000
Expected Behavior
The chart should render successfully with the security context applied to the pod spec.

Root Cause
In templates/deployment.yaml line 37, the template is missing toYaml:

Current (buggy):


securityContext: {{- .Values.agent.podSecurityContext | nindent 8 }}
Expected (fixed):


securityContext: {{- toYaml .Values.agent.podSecurityContext | nindent 8 }}
The same issue exists for containerSecurityContext.

Environment
Chart Version: 101.1.6 (also tested 101.1.3 - same issue)
Helm Version: v3.20.0 and v4.1.1
Kubernetes Version: EKS 1.28
Impact
This bug prevents users from setting pod/container security contexts, which is required for:

Environments with Pod Security Policies / Pod Security Standards
Kubernetes clusters with OPA Gatekeeper policies requiring runAsNonRoot
Security-hardened deployments
Workaround
Currently, the only workaround is to not set these values and rely on cluster-level exemptions for the CircleCI runner image.

Suggested Fix
Add toYaml to the security context sections in templates/deployment.yaml:


- securityContext: {{- .Values.agent.podSecurityContext | nindent 8 }}
+ securityContext: {{- toYaml .Values.agent.podSecurityContext | nindent 8 }}

- securityContext: {{- .Values.agent.containerSecurityContext | nindent 12 }}
+ securityContext: {{- toYaml .Values.agent.containerSecurityContext | nindent 12 }}


---

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions