Closed legal90 closed 1 year ago
Hi @legal90, Thanks a lot for this PR, it looks very nice and exciting. I'll try to have a look at it as soon as possible.
Due to that I'm bumping the minor version of the chart to 0.2.0.
You're absolutely right, as you can see, we haven't always used versioning as it should have been... That is perfect to go to the 0.2
bors merge
Build succeeded:
This message is sent automatically
Thank you very much for submitting your PR! Did you know that throughout the month of June we’re holding a rafle? If you share the link to your merged PR in our #giveaway Discord channel, you’ll automatically join a lottery for a chance at winning some Meiliswag. 🙂 Don’t hesitate to join us: https://discord.com/channels/1006923006964154428/1111273670657200198
Pull Request
Related issue
This PR was created in the continuation to our discussion here: https://github.com/meilisearch/meilisearch-kubernetes/pull/176#discussion_r1222197366
What does this PR do?
That PR changes the default behaviour of the chart so it runs meilisearch under a non-root user, following the principal of least permissions and improve the security posture:
Enable
securityContext.readOnlyRootFilesystem: true
by default and mount required writable points:/tmp
asemptyDir: {}
[1]/meili_data
asemptyDir: {}
by default, or as a PVC ifpersistence.enabled: true
Default values
fsGroup: 1000
andfsGroupChangePolicy: OnRootMismatch
allow to keep backward compatibility with existing installations. If the data volume already has files previously created and owned by root (e.q.persistence.enabled: true
), then k8s will automatically change the group ownership of these files to 1000, so they will still be writable by the non-privileged user in this new chart version. That happens automatically - no user action is needed. [2]Small chance of backward incompatibility for some users: those users who already have
/tmp
mount configured viavolumes
andvolumeMounts
values, might get a failure in upgrade to this new version, because this volume is now declared in the template by default. The fix is simple - just remove the definition of /tmp from your custom values.Due to that I'm bumping the minor version of the chart to 0.2.0. Please let me know if you think we should update it differently.
Links
[1] https://kubernetes.io/docs/concepts/storage/volumes/#emptydir [2] https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
PR checklist
Please check if your PR fulfills the following requirements: