Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add postgres_security_context_settings #190

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

add postgres_security_context_settings #190

wants to merge 1 commit into from

Conversation

rchaud
Copy link

@rchaud rchaud commented Apr 5, 2024

Adding the option to add custom security context for Postgres as in K8s it does not start due to a permission issue. This allows to change the user id, group id, etc to anything other than 26 used by the image https://quay.io/repository/sclorg/postgresql-13-c9s

#138

Example usage:

postgres_security_context_settings:
    runAsUser: 1001
    fsGroup: 1001

@rchaud rchaud mentioned this pull request Apr 5, 2024
Closed
@rooftopcellist
Copy link
Member

@chinochao Thanks for the PR!

Ultimately, we intend to nest parameters like these under database. We want to do this nested approach with all of the operators eventually, but for the awx-operator for example, it will require us to create a new apiVersion to do so.

With eda-server-operator, we have the luxury of a fresh start and can do this now. Would you be open to re-working the PR?

The user could then define it on the EDA spec like this:

spec:
  database:
    security_context:
      runAsUser: 1001
      fsGroup: 1001

We'll also need CRD and CSV entries, like these, but nested under database:

@rooftopcellist
Copy link
Member

@chinochao I was trying to reproduce the actual bug first while testing this out but could not while using k3s locally. Could you share more details about your deployment? It'd be good to know under what circumstances this permissions error might occur, so that we can document the fix better.

@maratsal
Copy link

you can reproduce this with deployment on EKS with gp2 storage class (based on aws-ebs)

kubectl get storageclass
NAME            PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
gp2 (default)   kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   false                  390d

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jul 25, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rchaud @rooftopcellist @maratsal