Open konsri opened 4 months ago
kayx23
commented
4 months ago From anecdotal experiences with docs and deployment of APISIX in K8s pods, the recommended way is to provision the right privilege for APISIX. I have not seen the practice of specifying a different folder for the said files.
juzhiyuan
commented
4 months ago @konsri I have encountered the same error when running APISIX on OpenShift with strict policies. Unfortunately, we have to allow proper permissions to run APISIX. And there has yet to be a plan to change this issue.
There has one doc to run API7 Gateway inside OpenShift, I think this applies to APISIX as well, refer to https://docs.api7.ai/enterprise/deployment/kubernetes#configure-scc-for-api7-gateway
shreemaan-abhishek
commented
3 months ago maybe we could make this variable configurable.
But this can be very risky as it could uncover unexpected bugs/failures.
Feelas
commented
3 weeks ago On OpenShift, this doesn't necessarily look like an issue with SCC with randomized UIDs, being caused by /usr/local/apisix/conf/ owned by apisix user (UID 636) instead of OCP known best-practice of assigning group "0" ownership in that case, see Creating images from OCP docs -> Support arbitrary user ids section.
This is a separate issue to me.
If /usr/local/apisix/conf/ is owned by apisix:apisix, nonroot-v2 policy (mentioned by @juzhiyuan) won't be enough to make it work, anyuid + specifying harcoded UID 636 would probably make it work, I believe? Put my observations in #11714
Description
When apisix start it creates a file ngnx.conf inside /usr/local/apisix/conf. I want my filesystem to be readonly in k8s pod. apisix start fails when filesystem is readonly because it is trying to create nginx.conf. How to specify a different folder other than/usr/local/apisix/conf for configuration files.
Environment