-
Notifications
You must be signed in to change notification settings - Fork 804
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a flag for setting init containers to change permissions on the mounts #2337
Comments
For anyone who runs into the same problem as me, this showed up as:
in the hub logs
|
Then if you run into issues with this happening when your trying to launch the user container the solution is a bit more gnarly because the volume names are dynamic but the following did the trick for me:
(note specifying fsGid to impact the security context doesn't work despite the kubespawner API docs implying it will run a |
I don't think we should automatically override the volume permissions as they may have been changed after the volume is provisioned. In addition it requires running the init container as root which is blocked on some clusters. I think this is a good addition to the docs though. Not sure if it should be added as an non-default option in the Helm chart, @consideRatio what do you think? |
Note it sounds like the K3S behaviour is a bug: k3s-io/k3s#3704 Maybe the fix will be in the next release? k3s-io/k3s#3721 |
That would be rad if it gets fixed in K3s. I know the minio bitnami helm operator has a built in option to work around this so it might be a more common PVC permission bug, but I am not sure since I only run K3s & EKS these days. |
This should get fixed in the next k3s release (next Wednesday): k3s-io/k3s#3704 (comment) |
Thanks for your investigative work everyone involved! I'll close this as a no-action for this Helm chart. |
Proposed change
Add a flag (default to true) that adds an init container changes the permissions on the mounts to match the security context.
Alternative options
Users can manually configure their own init containers.
Who would use this feature?
Anyone running more current version of k3s or any PVC which does some kind of locking down.
Related see k3s v1.21.3 ( https://github.com/k3s-io/k3s/releases/tag/v1.21.3%2Bk3s1 ) & Changes the permission of local storage pods ( k3s-io/k3s#3548 )
(Optional): Suggest a solution
Add default init container (have it be able to be disabled by a flag).
The text was updated successfully, but these errors were encountered: