-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ingester fails on DigitalOcean Kubernetes due to permission issues #996
Comments
Thanks for reporting this. Would setting the Perhaps the operator could always set it. |
@pavolloffay thanks so much for the quick answer. I've just verified on a DigitalOcean cluster that by setting the following to the Pod spec in the securityContenxt:
fsGroup: 10001 It would be great if the Operator would allow that configuration. Even better if it's by default. |
I'm facing the same issue on AKS with the clean deployment of a TempoStack. Is there a workaround that works currently or is the only option a downgrade? |
You can switch is to The unmanaged mode allows you to directly modify k8s objects managed by the operator. |
facing the same issue. I solved it for now by using operator version 0.10.0. |
Tempo 2.5.0 (supported in Tempo Operator 0.11.0+) switched user from
root
totempo
(10001:10001
) and ownership of/var/tempo
. In some Kubernetes distributions such as DigitalOcean, persistent volumes are always created with a filesystem owned byroot:root
, which means the Ingester Pod will fail with the following error.Unfortunately, DigitalOcean Kubernetes doesn't support the
mountOptions
settings to change the file permissions in the mounted volume, so Tempo Operator cannot be used in that environment as-is.If I understand correctly, Tempo Operator 0.11.0 introduced a Job that runs when upgrading the Operator from previous versions to change the permissions on the volume (see https://github.com/grafana/tempo-operator/releases/tag/v0.11.0). Would it be an idea to allow running that same Job even on new installations, in environments like DigitalOcean Kubernetes? (perhaps, behind a configuration flag)
If that's not possible, I see two other options to make Tempo Operator support DigitalOcean Kubernetes:
1000:1000
instead of10001:10001
, though not really a production-ready solution. This is what the tempo-distributed Helm chart does.The text was updated successfully, but these errors were encountered: