aboutsummaryrefslogtreecommitdiff
path: root/script
diff options
context:
space:
mode:
authorPatrick Jahns <kontakt@patrickjahns.de>2022-11-16 21:46:43 +0100
committerMaximilien Richer <me@mricher.fr>2023-01-27 00:08:32 +0100
commitfd03b184b33337e3f1de06a5cadd3c5bcc0a3536 (patch)
tree1ec86ac84711c7d54458ff5319c1bf6417d3b8bb /script
parentda6f7b0dda594fc13c96db481dd0fa6ae4c8857e (diff)
downloadgarage-fd03b184b33337e3f1de06a5cadd3c5bcc0a3536.tar.gz
garage-fd03b184b33337e3f1de06a5cadd3c5bcc0a3536.zip
fix(helm): file permission issues when running as non-root user
Specify the user group for the garage (and init) process and ensure that the persistent storage is mounted with the correct file system group
Diffstat (limited to 'script')
-rw-r--r--script/helm/garage/templates/workload.yaml2
-rw-r--r--script/helm/garage/values.yaml11
2 files changed, 8 insertions, 5 deletions
diff --git a/script/helm/garage/templates/workload.yaml b/script/helm/garage/templates/workload.yaml
index da5d386f..718f7bea 100644
--- a/script/helm/garage/templates/workload.yaml
+++ b/script/helm/garage/templates/workload.yaml
@@ -41,6 +41,8 @@ spec:
secretKeyRef:
name: {{ include "garage.rpcSecretName" . }}
key: rpcSecret
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 12 }}
volumeMounts:
- name: configmap
mountPath: /mnt/garage.toml
diff --git a/script/helm/garage/values.yaml b/script/helm/garage/values.yaml
index d7e7ddbf..701a5680 100644
--- a/script/helm/garage/values.yaml
+++ b/script/helm/garage/values.yaml
@@ -92,18 +92,19 @@ serviceAccount:
podAnnotations: {}
-podSecurityContext: {}
- # fsGroup: 2000
+podSecurityContext:
+ runAsUser: 1000
+ runAsGroup: 1000
+ fsGroup: 1000
+ runAsNonRoot: true
securityContext:
# The default security context is heavily restricted
# feel free to tune it to your requirements
capabilities:
drop:
- - ALL
+ - ALL
readOnlyRootFilesystem: true
- runAsNonRoot: true
- runAsUser: 1000
service:
# You can rely on any service to expose your cluster