getting tmpfs mount read only errors despite trying to fix it

[evanrich]

I am running into this

tmpfs mount error mount: tmpfs is write-protected, mounting read-only mount: cannot mount tmpfs read-only If you get this tmpfs mount error, add --security-opt apparmor:unconfined \ to your list of run options. This error has been seen on Ubuntu, but may occur on other platforms as well.

my deployment file

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: unifi-video
  annotations:
    container.apparmor.security.beta.kubernetes.io/unifi-video: "unconfined"
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: unifi-video
    spec:
      hostname: unifi-video
      nodeSelector:
        kubernetes.io/hostname: mira-b.home
      volumes:
      - name: dockerdata
        persistentVolumeClaim:
          claimName: dockerdata-nas
      - name: cameradata
        persistentVolumeClaim:
          claimName: cameras-nas
      containers:
      - name: unifi-video
        image: pducharme/unifi-video-controller:3.9.7
        securityContext:
          capabilities:
            add:
              - SYS_ADMIN
              - DAC_READ_SEARCH
        volumeMounts:
        - name: dockerdata
          subPath: unifi-video
          mountPath: /var/lib/unifi-video
        - name: cameradata
          mountPath: /nfs/cameras
        env:
        - name: PUID
          value: '1001'
        - name: PGID
          value: '1001'
        - name: TZ
          value: 'America/Los_Angeles'
        - name: DEBUG
          value: '1'
        ports:
        - name: ems-liveflv
          containerPort: 6666
        - name: ems-rtmp
          containerPort: 1935
        - name: uvcmicro-talk
          containerPort: 7004
          protocol: UDP
        - name: app-http
          containerPort: 7080
        - name: camera-mgmt
          containerPort: 7442
        - name: app-https
          containerPort: 7443
        - name: nvr-client
          containerPort: 7444
        - name: ems-livews
          containerPort: 7445
        - name: ems-livewss
          containerPort: 7446
        - name: ems-rtsp
          containerPort: 7447
        - name: video-discovery
          containerPort: 10001
          protocol: UDP
        readinessProbe:
          tcpSocket:
            port: app-https
          initialDelaySeconds: 20
          periodSeconds: 10
        livenessProbe:
          tcpSocket:
            port: app-https
          initialDelaySeconds: 40
          periodSeconds: 20

despite all of this, i continually get a tmpfs readonly error. Someone else had a kubernetes deployment but never resolved their issue. Would really love to figure this out.

[evanrich]

solved by way of kubernetes team. annotations need to go under template, not metdata, so something like this:

metadata:
  name: unifi-video
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: unifi-video
      annotations:
        container.apparmor.security.beta.kubernetes.io/unifi-video: unconfined