Open vkukk opened 2 months ago
Appearantly, fsGroup should be enabled according to redis controller code here https://github.com/pulp/pulp-operator/blob/26ac1d96aa977a426e27b05cb2a8251106561b60/controllers/repo_manager/redis.go#L367
When checking actual Pod config:
$ kubectl -n pulp get pod/pulp-redis-6c86f8467-nwrbz -o json| jq -r '.spec.securityContext'
{
"runAsGroup": 999,
"runAsUser": 999
}
$ kubectl -n pulp get pod/pulp-redis-6c86f8467-nwrbz -o json| jq -r '.spec.containers.[0].securityContext'
{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"runAsNonRoot": true,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
So fsGroup defined here https://github.com/pulp/pulp-operator/blob/26ac1d96aa977a426e27b05cb2a8251106561b60/controllers/repo_manager/redis.go#L337 does not get into actual Kubernetes deployment.
Need to look into why User 999 is not allowed to write in the volume for the Redis image.
Version image: quay.io/pulp/pulp-operator:v1.0.0-beta.5 default pulp images.
Describe the bug After enabling cache, pulp-content fails with 500.
The cache pod is failing due to unsufficient privileges when writing to volume.
To enable Redis user 999 with group 999 to save on mounted storage, pod must have securityContext.fsGroup with value 999. When I'm trying to enable this by editing Pulp CR: To Reproduce set Pulp CR:
kubectl apply -f pulp.yaml strict decoding error: unknown field "spec.cache.securityContext"
Expected behavior proper securityContext is applied and Redis is able to save RDB file.
Additional context OVH Managed Kubernetes 1.30.2