Commit 2f1bada
authored
fix: skip projects init-container under restricted_security_context (#14)
The init-projects container chmod/chgrp's /var/lib/awx/projects. With
restricted_security_context enabled it inherits the pod's runAsNonRoot (uid
1000) yet still runs chmod/chgrp, which a non-root process without CAP_FOWNER
cannot do on a volume it does not own. The container exits "Operation not
permitted" and the web/task pods never start.
Under restricted_security_context the pod already sets fsGroup, which the
kubelet applies to fsGroup-capable volumes (the same mechanism the option
relies on for the backup pod). So skip the privileged init-projects container
in that mode and rely on fsGroup, rather than shipping a chown that can only
fail. Non-restricted behavior is unchanged.
Note: fsGroup is not applied to NFS-backed RWX volumes, so such a volume must
present a directory writable by the projects gid (many RWX provisioners create
the share root world-writable).1 parent f793f64 commit 2f1bada
2 files changed
Lines changed: 2 additions & 16 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
194 | 194 | | |
195 | 195 | | |
196 | 196 | | |
197 | | - | |
| 197 | + | |
198 | 198 | | |
199 | 199 | | |
200 | 200 | | |
201 | 201 | | |
202 | | - | |
203 | | - | |
204 | | - | |
205 | | - | |
206 | | - | |
207 | | - | |
208 | | - | |
209 | 202 | | |
210 | 203 | | |
211 | 204 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
138 | 138 | | |
139 | 139 | | |
140 | 140 | | |
141 | | - | |
| 141 | + | |
142 | 142 | | |
143 | 143 | | |
144 | 144 | | |
145 | 145 | | |
146 | | - | |
147 | | - | |
148 | | - | |
149 | | - | |
150 | | - | |
151 | | - | |
152 | | - | |
153 | 146 | | |
154 | 147 | | |
155 | 148 | | |
| |||
0 commit comments