Skip to content

Operator crashes when using Static Containers with securityContext.readOnlyRootFilesystem=true #485

@bitfisher

Description

@bitfisher

What did you do to encounter the bug?
Install operator with helm upgrade mongodb-operator mongodb/mongodb-kubernetes --namespace mongodb-operator --install --create-namespace --reset-values --set operator.mdbDefaultArchitecture="static"

What did you expect?
Operator running

What happened instead?
Operator is crashing with error {"level":"error","caller":"mongodb-kubernetes/main.go:475","msg":"could not set up webhook: mkdir /tmp/k8s-webhook-server: read-only file system","stacktrace":"main.setupWebhook\n\t/go/src/github.com/mongodb/mongodb-kubernetes/main.go:475\nmain.main\n\t/go/src/github.com/mongodb/mongodb-kubernetes/main.go:192\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:283"}

Operator Information

  • Operator Version: 1.4.0
  • MongoDB Image used: quay.io/mongodb/mongodb-kubernetes:1.4.0

Workaround
Patch deployment with

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mongodb-kubernetes-operator
  namespace: mongodb-operator
spec:
  template:
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 2000
        runAsGroup: 2000
        fsGroup: 2000
        fsGroupChangePolicy: "OnRootMismatch"
        seccompProfile:
          type: "RuntimeDefault"
      volumes:
      - name: tmp
        emptyDir:
          medium: Memory
      containers:
        - name: mongodb-kubernetes-operator
          securityContext:
            privileged: false
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
              - ALL
          volumeMounts:
          - name: tmp
            mountPath: /tmp

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions