From fd03b184b33337e3f1de06a5cadd3c5bcc0a3536 Mon Sep 17 00:00:00 2001 From: Patrick Jahns Date: Wed, 16 Nov 2022 21:46:43 +0100 Subject: fix(helm): file permission issues when running as non-root user Specify the user group for the garage (and init) process and ensure that the persistent storage is mounted with the correct file system group --- script/helm/garage/templates/workload.yaml | 2 ++ script/helm/garage/values.yaml | 11 ++++++----- 2 files changed, 8 insertions(+), 5 deletions(-) (limited to 'script') diff --git a/script/helm/garage/templates/workload.yaml b/script/helm/garage/templates/workload.yaml index da5d386f..718f7bea 100644 --- a/script/helm/garage/templates/workload.yaml +++ b/script/helm/garage/templates/workload.yaml @@ -41,6 +41,8 @@ spec: secretKeyRef: name: {{ include "garage.rpcSecretName" . }} key: rpcSecret + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} volumeMounts: - name: configmap mountPath: /mnt/garage.toml diff --git a/script/helm/garage/values.yaml b/script/helm/garage/values.yaml index d7e7ddbf..701a5680 100644 --- a/script/helm/garage/values.yaml +++ b/script/helm/garage/values.yaml @@ -92,18 +92,19 @@ serviceAccount: podAnnotations: {} -podSecurityContext: {} - # fsGroup: 2000 +podSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + runAsNonRoot: true securityContext: # The default security context is heavily restricted # feel free to tune it to your requirements capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 service: # You can rely on any service to expose your cluster -- cgit v1.2.3