-
Notifications
You must be signed in to change notification settings - Fork 13
Open
Description
Bug Description
When setting agent.podSecurityContext or agent.containerSecurityContext values, the helm chart fails to render with the error:
Error: template: container-agent/templates/deployment.yaml:37:70: executing "container-agent/templates/deployment.yaml" at <8>: wrong type for value; expected string; got map[string]interface {}
Steps to Reproduce
helm template circleci-runner circleci/container-agent \
--namespace circleci \
--set "agent.resourceClasses.myorg/my-runner.token=test-token" \
--set "agent.podSecurityContext.runAsNonRoot=true" \
--set "agent.podSecurityContext.runAsUser=1000"
Or with a values file:
agent:
podSecurityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
Expected Behavior
The chart should render successfully with the security context applied to the pod spec.
Root Cause
In templates/deployment.yaml line 37, the template is missing toYaml:
Current (buggy):
securityContext: {{- .Values.agent.podSecurityContext | nindent 8 }}
Expected (fixed):
securityContext: {{- toYaml .Values.agent.podSecurityContext | nindent 8 }}
The same issue exists for containerSecurityContext.
Environment
Chart Version: 101.1.6 (also tested 101.1.3 - same issue)
Helm Version: v3.20.0 and v4.1.1
Kubernetes Version: EKS 1.28
Impact
This bug prevents users from setting pod/container security contexts, which is required for:
Environments with Pod Security Policies / Pod Security Standards
Kubernetes clusters with OPA Gatekeeper policies requiring runAsNonRoot
Security-hardened deployments
Workaround
Currently, the only workaround is to not set these values and rely on cluster-level exemptions for the CircleCI runner image.
Suggested Fix
Add toYaml to the security context sections in templates/deployment.yaml:
- securityContext: {{- .Values.agent.podSecurityContext | nindent 8 }}
+ securityContext: {{- toYaml .Values.agent.podSecurityContext | nindent 8 }}
- securityContext: {{- .Values.agent.containerSecurityContext | nindent 12 }}
+ securityContext: {{- toYaml .Values.agent.containerSecurityContext | nindent 12 }}
---Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
No labels