Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional config (VolumeMount) needed for rootless deployment #35

Open
elaurensx opened this issue Sep 29, 2024 · 0 comments
Open

Additional config (VolumeMount) needed for rootless deployment #35

elaurensx opened this issue Sep 29, 2024 · 0 comments

Comments

@elaurensx
Copy link

Chart version: 2.0.1
App version: v0.9.6

Setting the following (pod)securityContext options in ./charts/common/values.yaml..

podSecurityContext:
   fsGroup: 1000
securityContext:
   runAsUser: 1000
   runAsGroup: 1000

and enable persistence for logs in ./values.yaml..

persistence:
  logs:
    enabled: true
    type: emptyDir
    mountPath: /app/config/logs

I get the following file permissions & ownership for all of the chart's mounted volumes..

-rw-r--r--    1 root     node            72 Sep 29 13:28 bookmarks.yaml
-rw-rw-r--    1 node     node             0 Sep 29 13:28 custom.css
-rw-rw-r--    1 node     node             0 Sep 29 13:28 custom.js
-rw-r--r--    1 root     node             0 Sep 29 13:28 docker.yaml
-rw-r--r--    1 root     node            14 Sep 29 13:28 kubernetes.yaml
drwxrwsrwx    2 root     node            26 Sep 29 13:28 logs
-rw-r--r--    1 root     node           335 Sep 29 13:28 services.yaml
-rw-r--r--    1 root     node             0 Sep 29 13:28 settings.yaml
-rw-r--r--    1 root     node           257 Sep 29 13:28 widgets.yaml

All good so far and the application starts. It also immediately logs errors because it can't the copy custom.css and custom.js files in the /app/config folder. ls -ll /app shows that the config dir is owned by root:root.

Modified the following chart files to work around this..

  • ./charts/common/templates/lib/container/_volumemounts.tpl
{{/* Volumes included by the controller */}}
{{- define "bjw-s.common.lib.container.volumeMounts" -}}
- name: config
  mountPath: /app/config
  {{- range $persistenceIndex, $persistenceItem := .Values.persistence }}
  ...
  • ./charts/common/templates/lib/controller/_volumes.tpl
{/*
Volumes included by the controller.
*/}}
{{- define "bjw-s.common.lib.controller.volumes" -}}
- name: config
  emptyDir: {}
{{- range $index, $persistence := .Values.persistence }}
...

Result is that the /app/config dir is now also owned by root:node and can be written to by uid=1000.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@elaurensx