Skip to content
This repository has been archived by the owner on Jan 18, 2024. It is now read-only.

Cannot specify securityContext container attribute #240

Open
franck102 opened this issue Nov 6, 2020 · 1 comment · May be fixed by #125
Open

Cannot specify securityContext container attribute #240

franck102 opened this issue Nov 6, 2020 · 1 comment · May be fixed by #125
Labels
area/timescaledb-single bug Something isn't working

Comments

@franck102
Copy link

franck102 commented Nov 6, 2020
edited
Loading

This is an improvement request

Describe the bug
The timescaledb-single chart won't let you configure a securityContext container attribute.
This is required in Kubernetes clusters that use pod security policies (else the container start as root and postgres refuses to start):

containers:
        - name: timescaledb
          securityContext:
            allowPrivilegeEscalation: false
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000

We have to create a local copy of the chart to work around this issue.
feikesteenbergen added a commit that referenced this issue Jan 12, 2021
@feikesteenbergen
Explicitly configure securityContext for pod
997644b 
By setting the Pod SecurityContext, we ensure every container inherits
these settings. The only field that cannot be set at the Pod level is
`allowPrivilegeEscalation`, therefore, we set that at the container
level.

By making the uid a template (which derives from values) we can more
easily set a different uid for all the processes involved.

Addresses issue #240.

https://v1-18.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#podsecuritycontext-v1-core
https://v1-18.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#securitycontext-v1-core
@feikesteenbergen feikesteenbergen mentioned this issue Jan 12, 2021
Merged
@feikesteenbergen
Copy link
Member

The Single Helm Chart defaults to the default securityContext, which:

Defaults to user specified in image metadata if unspecified.

https://v1-18.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#securitycontext-v1-core

Which is postgres for this image.

docker inspect timescaledev/timescaledb-ha:pg12.5-ts2.0.0-p0 | jq '.[0].Config.User' -r
postgres

However, it may be good to explicitly configure this setup. See #252

@feikesteenbergen feikesteenbergen linked a pull request Jan 12, 2021 that will close this issue
Add securityContext configuration #125
Open
feikesteenbergen added a commit that referenced this issue Jan 12, 2021
@feikesteenbergen
Explicitly configure securityContext for pod
4da04ff 
By setting the Pod SecurityContext, we ensure every container inherits
these settings. The only field that cannot be set at the Pod level is
`allowPrivilegeEscalation`, therefore, we set that at the container
level.

By making the uid a template (which derives from values) we can more
easily set a different uid for all the processes involved.

Addresses issue #240.

https://v1-18.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#podsecuritycontext-v1-core
https://v1-18.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#securitycontext-v1-core
@paulfantom paulfantom added bug Something isn't working area/timescaledb-single labels Aug 18, 2022
@joschiwald joschiwald mentioned this issue Mar 11, 2023
Open
2 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/timescaledb-single bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add securityContext configuration juusujanar/timescaledb-kubernetes
3 participants
@franck102 @paulfantom @feikesteenbergen