Kong · tao12345666333 · Jan 7, 2026 · Dec 18, 2025
@@ -32,6 +32,7 @@ helm install kong/kong --generate-name
     - [DB-less deployment](#db-less-deployment)
     - [Using the Postgres sub-chart](#using-the-postgres-sub-chart)
       - [Postgres sub-chart considerations for OpenShift](#postgres-sub-chart-considerations-for-openshift)
+    - [Kong container security context for OpenShift](#kong-container-security-context-for-openshift)
   - [Runtime package](#runtime-package)
   - [Configuration method](#configuration-method)
   - [Separate admin and proxy nodes](#separate-admin-and-proxy-nodes)
@@ -210,6 +211,24 @@ Due to the default `securityContexts` in the postgres sub-chart, you will need t
       enabled: false
 ```
 
+#### Kong container security context for OpenShift
+
+OpenShift uses Security Context Constraints (SCC) that automatically assign
+dynamic user/group IDs to containers. The default `containerSecurityContext`
+in this chart includes hardcoded `runAsUser: 1000` and `runAsGroup: 1000`
+values that conflict with OpenShift's security model.
+
+To deploy Kong on OpenShift, disable the container security context so that
+OpenShift can inject its own dynamic UID/GID values:
+
+```yaml
+containerSecurityContext:
+  enabled: false
+```
+
+This allows OpenShift's SCC to manage the security context automatically,
+which is the recommended approach for OpenShift deployments.
+
 ### Runtime package
 
 There are three different packages of Kong that are available:
@@ -929,6 +948,7 @@ On the Gateway release side, set either `admin.tls.client.secretName` to the nam
 | secretVolumes                      | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]`                |
 | securityContext                    | Set the securityContext for Kong Pods                                                 | See values.yaml     |
 | containerSecurityContext           | Set the securityContext for Containers                                                | See values.yaml     |
+| containerSecurityContext.enabled   | Enable container security context (set to `false` for OpenShift)                      | `true`              |
 | serviceMonitor.enabled             | Create ServiceMonitor for Prometheus Operator                                         | `false`             |
 | serviceMonitor.trustCRDsExist      | Do not check for the Prometheus Operator CRDs, just try to deploy                     | `false`             |
 | serviceMonitor.interval            | Scraping interval                                                                     | `30s`               |

@@ -859,8 +859,10 @@ The name of the Service which will be used by the controller to update the Ingre
 - name: wait-for-db
   image: {{ include "kong.getRepoTag" .Values.image }}
   imagePullPolicy: {{ .Values.image.pullPolicy }}
+  {{- if .Values.containerSecurityContext.enabled }}
   securityContext:
-  {{ toYaml .Values.containerSecurityContext | nindent 4 }}
+  {{ toYaml (omit .Values.containerSecurityContext "enabled") | nindent 4 }}
+  {{- end }}
   env:
   {{- include "kong.env" . | nindent 2 }}
   {{- include "kong.envFrom" .Values.envFrom | nindent 2 }}
@@ -897,8 +899,10 @@ The name of the Service which will be used by the controller to update the Ingre
 
 {{- define "kong.controller-container" -}}
 - name: ingress-controller
+  {{- if .Values.containerSecurityContext.enabled }}
   securityContext:
-{{ toYaml .Values.containerSecurityContext | nindent 4 }}
+{{ toYaml (omit .Values.containerSecurityContext "enabled") | nindent 4 }}
+  {{- end }}
   args:
   {{ if .Values.ingressController.args}}
   {{- range $val := .Values.ingressController.args }}

@@ -102,8 +102,10 @@ spec:
       - name: clear-stale-pid
         image: {{ include "kong.getRepoTag" .Values.image }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
+        {{- if .Values.containerSecurityContext.enabled }}
         securityContext:
-        {{ toYaml .Values.containerSecurityContext | nindent 10 }}
+        {{ toYaml (omit .Values.containerSecurityContext "enabled") | nindent 10 }}
+        {{- end }}
         resources:
 {{ toYaml (default .Values.resources .Values.initContainerResources) | indent 10 }}
         command:
@@ -144,8 +146,10 @@ spec:
       - name: "proxy"
         image: {{ include "kong.getRepoTag" .Values.image }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
+        {{- if .Values.containerSecurityContext.enabled }}
         securityContext:
-        {{ toYaml .Values.containerSecurityContext | nindent 10 }}
+        {{ toYaml (omit .Values.containerSecurityContext "enabled") | nindent 10 }}
+        {{- end }}
         env:
         {{- include "kong.no_daemon_env" . | nindent 8 }}
         {{- include "kong.envFrom" .Values.envFrom | nindent 8 }}

@@ -67,8 +67,10 @@ spec:
       - name: {{ template "kong.name" . }}-post-upgrade-migrations
         image: {{ include "kong.getRepoTag" .Values.image }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
+        {{- if .Values.containerSecurityContext.enabled }}
         securityContext:
-        {{ toYaml .Values.containerSecurityContext | nindent 10 }} 
+        {{ toYaml (omit .Values.containerSecurityContext "enabled") | nindent 10 }}
+        {{- end }}
         env:
         {{- include "kong.no_daemon_env" . | nindent 8 }}
         {{- include "kong.envFrom" .Values.envFrom | nindent 8 }}

@@ -69,8 +69,10 @@ spec:
       - name: {{ template "kong.name" . }}-upgrade-migrations
         image: {{ include "kong.getRepoTag" .Values.image }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
+        {{- if .Values.containerSecurityContext.enabled }}
         securityContext:
-        {{ toYaml .Values.containerSecurityContext | nindent 10 }}
+        {{ toYaml (omit .Values.containerSecurityContext "enabled") | nindent 10 }}
+        {{- end }}
         env:
         {{- include "kong.no_daemon_env" . | nindent 8 }}
         {{- include "kong.envFrom" .Values.envFrom | nindent 8 }}

@@ -77,8 +77,10 @@ spec:
       - name: {{ template "kong.name" . }}-migrations
         image: {{ include "kong.getRepoTag" .Values.image }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
+        {{- if .Values.containerSecurityContext.enabled }}
         securityContext:
-        {{ toYaml .Values.containerSecurityContext | nindent 10 }} 
+        {{ toYaml (omit .Values.containerSecurityContext "enabled") | nindent 10 }}
+        {{- end }}
         env:
         {{- include "kong.no_daemon_env" . | nindent 8 }}
         {{- include "kong.envFrom" .Values.envFrom | nindent 8 }}

@@ -1076,7 +1076,10 @@ securityContext:
     type: RuntimeDefault
 
 # securityContext for containers.
+# Set containerSecurityContext.enabled=false for OpenShift, where the platform
+# automatically assigns UIDs/GIDs via Security Context Constraints (SCC).
 containerSecurityContext:
+  enabled: true
   readOnlyRootFilesystem: true
   allowPrivilegeEscalation: false
   runAsUser: 1000