diff options
author | Patrick Jahns <kontakt@patrickjahns.de> | 2022-11-16 21:46:43 +0100 |
---|---|---|
committer | Maximilien Richer <me@mricher.fr> | 2023-01-27 00:08:32 +0100 |
commit | fd03b184b33337e3f1de06a5cadd3c5bcc0a3536 (patch) | |
tree | 1ec86ac84711c7d54458ff5319c1bf6417d3b8bb /script | |
parent | da6f7b0dda594fc13c96db481dd0fa6ae4c8857e (diff) | |
download | garage-fd03b184b33337e3f1de06a5cadd3c5bcc0a3536.tar.gz garage-fd03b184b33337e3f1de06a5cadd3c5bcc0a3536.zip |
fix(helm): file permission issues when running as non-root user
Specify the user group for the garage (and init) process and ensure
that the persistent storage is mounted with the correct file system
group
Diffstat (limited to 'script')
-rw-r--r-- | script/helm/garage/templates/workload.yaml | 2 | ||||
-rw-r--r-- | script/helm/garage/values.yaml | 11 |
2 files changed, 8 insertions, 5 deletions
diff --git a/script/helm/garage/templates/workload.yaml b/script/helm/garage/templates/workload.yaml index da5d386f..718f7bea 100644 --- a/script/helm/garage/templates/workload.yaml +++ b/script/helm/garage/templates/workload.yaml @@ -41,6 +41,8 @@ spec: secretKeyRef: name: {{ include "garage.rpcSecretName" . }} key: rpcSecret + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} volumeMounts: - name: configmap mountPath: /mnt/garage.toml diff --git a/script/helm/garage/values.yaml b/script/helm/garage/values.yaml index d7e7ddbf..701a5680 100644 --- a/script/helm/garage/values.yaml +++ b/script/helm/garage/values.yaml @@ -92,18 +92,19 @@ serviceAccount: podAnnotations: {} -podSecurityContext: {} - # fsGroup: 2000 +podSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + runAsNonRoot: true securityContext: # The default security context is heavily restricted # feel free to tune it to your requirements capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 service: # You can rely on any service to expose your cluster |