fix(helm): file permission issues when running as non-root user
Specify the user group for the garage (and init) process and ensure that the persistent storage is mounted with the correct file system group
This commit is contained in:
parent
da6f7b0dda
commit
fd03b184b3
2 changed files with 8 additions and 5 deletions
|
@ -41,6 +41,8 @@ spec:
|
|||
secretKeyRef:
|
||||
name: {{ include "garage.rpcSecretName" . }}
|
||||
key: rpcSecret
|
||||
securityContext:
|
||||
{{- toYaml .Values.securityContext | nindent 12 }}
|
||||
volumeMounts:
|
||||
- name: configmap
|
||||
mountPath: /mnt/garage.toml
|
||||
|
|
|
@ -92,18 +92,19 @@ serviceAccount:
|
|||
|
||||
podAnnotations: {}
|
||||
|
||||
podSecurityContext: {}
|
||||
# fsGroup: 2000
|
||||
podSecurityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
||||
securityContext:
|
||||
# The default security context is heavily restricted
|
||||
# feel free to tune it to your requirements
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
|
||||
service:
|
||||
# You can rely on any service to expose your cluster
|
||||
|
|
Loading…
Reference in a new issue