WARNING: THIS SITE IS A MIRROR OF GITHUB.COM / IT CANNOT LOGIN OR REGISTER ACCOUNTS / THE CONTENTS ARE PROVIDED AS-IS / THIS SITE ASSUMES NO RESPONSIBILITY FOR ANY DISPLAYED CONTENT OR LINKS / IF YOU FOUND SOMETHING MAY NOT GOOD FOR EVERYONE, CONTACT ADMIN AT ilovescratch@foxmail.com
Skip to content

SecurityContextConstraints with empty allowedFlexVolumes causes ArgoCD sync issues on OpenShift #2181

New issue
New issue
Open
Open
SecurityContextConstraints with empty allowedFlexVolumes causes ArgoCD sync issues on OpenShift#2181
Labels
pending
@kptranum

Description

@kptranum
kptranum
opened on Nov 19, 2025

Description

When deploying the Datadog Helm chart on OpenShift with podSecurity.securityContextConstraints.create: true, the generated SCC includes an empty allowedFlexVolumes: [] field. OpenShift automatically omits empty arrays from the SCC specification, causing ArgoCD to perpetually show the application as "OutOfSync" due to the field difference.

Environment

  • Datadog Helm Chart Version: 3.137.2
  • OpenShift Version: 4.x
  • ArgoCD Version: 3.0.19
  • Deployment method: GitOps with ArgoCD

Current Behavior

  1. Helm chart generates SCC with allowedFlexVolumes: []
  2. OpenShift creates the SCC but omits the empty allowedFlexVolumes field
  3. ArgoCD detects a difference between desired (Helm template) and actual (OpenShift) state
  4. Application remains perpetually "OutOfSync"

Expected Behavior

The Helm chart should either:

  • Omit the allowedFlexVolumes field entirely when it's empty, OR
  • Provide a way to control whether this field is included in the generated SCC

Reproduction Steps

  1. Deploy Datadog using the Helm chart with these values:
agents:
  podSecurity:
    securityContextConstraints:
      create: true

Metadata

Metadata

Assignees

No one assigned

    Labels

    pending

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions