Closed yotles closed 1 year ago
Hi @yotles
Try this:
apiVersion: databases.spotahome.com/v1
kind: RedisFailover
metadata:
name: redisfailover-cache
spec:
redis:
exporter:
enabled: true
containerSecurityContext:
runAsUser: 1000670001
runAsGroup: 1000670001
securityContext:
runAsUser: 1000670001
containerSecurityContext:
runAsUser: 1000670001
runAsGroup: 1000670001
sentinel:
securityContext:
runAsUser: 1000670001
containerSecurityContext:
runAsUser: 1000670001
runAsGroup: 1000670001
configCopy:
containerSecurityContext:
runAsUser: 1000670001
runAsGroup: 1000670001
exporter:
enabled: true
containerSecurityContext:
runAsUser: 1000670001
runAsGroup: 1000670001
I had to review operator code and CRD to get it working in Openshift.
HTH
@cfmanteiga Thank you for feedback, this is exactly what I looking for. My fault that not found option to use configCopy for redefine SecurityContext for initContainer. As UID in OpenShift are random, and whenever you create a namespace, a new "uid-range" will be allocated, in this case it is easier to pass to OpenShift take care about correct UID on their own. Also GID selected for root. So final config can be look like this:
apiVersion: databases.spotahome.com/v1
kind: RedisFailover
metadata:
name: redisfailover-cache
spec:
redis:
exporter:
enabled: true
containerSecurityContext:
runAsUser: null
securityContext:
runAsUser: null
containerSecurityContext:
runAsUser: null
sentinel:
securityContext:
runAsUser: null
containerSecurityContext:
runAsUser: null
configCopy:
containerSecurityContext:
runAsUser: null
exporter:
enabled: true
containerSecurityContext:
runAsUser: null
Way better, should work too.
This issue is stale because it has been open for 45 days with no activity.
This issue was closed because it has been inactive for 14 days since being marked as stale.
Creating a redisfailover on OpenShift with default Security Context Constraints using this operator doesn't seem to work. It seems that this is due to the runAsUser, runAsGroup parameter in the securityContext for initContainer in deployment rfs-redisfailover. As it mentioned in README I can pass securityContext and containerSecurityContext with empty object for sentintel and redis and it work as expected. But initConainer still generated with default securityContext:
And this lead to such errors:
So is it possible to add overwriting securityContext and containerSecurityContext for defaults initContainer too?
Thanks in advance.