From 302eb6f8f9cd00f1b6cbfdad2d6490e8e775eb37 Mon Sep 17 00:00:00 2001 From: Adam Hendel Date: Fri, 19 Jan 2024 16:40:10 -0600 Subject: [PATCH] securityContext for app_service volumes (#493) --- tembo-operator/src/app_service/manager.rs | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/tembo-operator/src/app_service/manager.rs b/tembo-operator/src/app_service/manager.rs index 7c1c3da11..7d11cfcfa 100644 --- a/tembo-operator/src/app_service/manager.rs +++ b/tembo-operator/src/app_service/manager.rs @@ -5,9 +5,10 @@ use k8s_openapi::{ api::{ apps::v1::{Deployment, DeploymentSpec}, core::v1::{ - Capabilities, Container, ContainerPort, EnvVar, EnvVarSource, HTTPGetAction, PodSpec, - PodTemplateSpec, Probe, Secret, SecretKeySelector, SecretVolumeSource, SecurityContext, - Service, ServicePort, ServiceSpec, Volume, VolumeMount, + Capabilities, Container, ContainerPort, EnvVar, EnvVarSource, HTTPGetAction, + PodSecurityContext, PodSpec, PodTemplateSpec, Probe, Secret, SecretKeySelector, + SecretVolumeSource, SecurityContext, Service, ServicePort, ServiceSpec, Volume, + VolumeMount, }, }, apimachinery::pkg::{ @@ -394,8 +395,14 @@ fn generate_deployment( }; volume_mounts.push(certs_volume_mount); + let mut pod_security_context: Option = None; // Add any user provided volumes / volume mounts if let Some(storage) = appsvc.storage.clone() { + // when there are user specified volumes, we need to let kubernetes modify permissions of those volumes + pod_security_context = Some(PodSecurityContext { + fs_group: Some(65534), + ..PodSecurityContext::default() + }); if let Some(vols) = storage.volumes { volumes.extend(vols); } @@ -420,6 +427,7 @@ fn generate_deployment( ..Container::default() }], volumes: Some(volumes), + security_context: pod_security_context, ..PodSpec::default() };