Skip to content

Comments

add postgres_security_context_settings#190

Open
rchaud wants to merge 1 commit intoansible:mainfrom
rchaud:fix-postgres-permission
Open

add postgres_security_context_settings#190
rchaud wants to merge 1 commit intoansible:mainfrom
rchaud:fix-postgres-permission

Conversation

@rchaud
Copy link

@rchaud rchaud commented Apr 5, 2024

Adding the option to add custom security context for Postgres as in K8s it does not start due to a permission issue. This allows to change the user id, group id, etc to anything other than 26 used by the image https://quay.io/repository/sclorg/postgresql-13-c9s

#138

Example usage:

postgres_security_context_settings:
    runAsUser: 1001
    fsGroup: 1001

@rchaud rchaud mentioned this pull request Apr 5, 2024
Closed
@rooftopcellist
Copy link
Member

rooftopcellist commented Apr 5, 2024

@chinochao Thanks for the PR!

Ultimately, we intend to nest parameters like these under database. We want to do this nested approach with all of the operators eventually, but for the awx-operator for example, it will require us to create a new apiVersion to do so.

With eda-server-operator, we have the luxury of a fresh start and can do this now. Would you be open to re-working the PR?

The user could then define it on the EDA spec like this:

spec:
  database:
    security_context:
      runAsUser: 1001
      fsGroup: 1001

We'll also need CRD and CSV entries, like these, but nested under database:

@rooftopcellist
Copy link
Member

rooftopcellist commented Apr 6, 2024

@chinochao I was trying to reproduce the actual bug first while testing this out but could not while using k3s locally. Could you share more details about your deployment? It'd be good to know under what circumstances this permissions error might occur, so that we can document the fix better.

@maratsal
Copy link

maratsal commented Jun 30, 2024

you can reproduce this with deployment on EKS with gp2 storage class (based on aws-ebs)

kubectl get storageclass
NAME            PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
gp2 (default)   kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   false                  390d

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jul 25, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rchaud @rooftopcellist @maratsal