search

sse-secure-systems / connaisseur

An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster
https://sse-secure-systems.github.io/connaisseur/
Apache License 2.0
436 stars 61 forks source link

Redis logs have errors using the default values.yaml from application version 3.6.0 chart version 2.6.0 #1764

Open edison-vflow opened 2 hours ago

edison-vflow commented 2 hours ago

Describe the bug After deploying Connaisseur application version 3.6.1 and chart version 2.6.1 on AWS EKS v1.30, the redis pod logs show errors 

│ 123086:C 20 Sep 2024 15:28:25.062 # Failed opening the temp RDB file temp-123086.rdb (in server root dir /data) for saving: Permission denied           
│ 1:M 20 Sep 2024 15:28:25.163 # Background saving error

` The full log looks something like this 

1:M 20 Sep 2024 15:32:43.073 * 1 changes in 3600 seconds. Saving...                                                                                     │
│ 1:M 20 Sep 2024 15:32:43.073 * Background saving started by pid 123439                                                                                  │
│ 123439:C 20 Sep 2024 15:32:43.074 # Failed opening the temp RDB file temp-123439.rdb (in server root dir /data) for saving: Permission denied           │
│ 1:M 20 Sep 2024 15:32:43.174 # Background saving error                                                                                                  │
│ 1:M 20 Sep 2024 15:32:45.488 . 6 clients connected (0 replicas), 1060744 bytes in use                                                                   │
│ 1:M 20 Sep 2024 15:32:48.863 - Accepted 127.0.0.1:50826                                                                                                 │
│ 1:M 20 Sep 2024 15:32:48.864 - Client closed connection id=18276 addr=127.0.0.1:50826 laddr=127.0.0.1:6380 fd=20 name= age=0 idle=0 flags=N db=0 sub=0  │
│ 1:M 20 Sep 2024 15:32:48.894 - Accepted 127.0.0.1:50838                                                                                                 │
│ 1:M 20 Sep 2024 15:32:48.896 - Client closed connection id=18277 addr=127.0.0.1:50838 laddr=127.0.0.1:6380 fd=20 name= age=0 idle=0 flags=N db=0 sub=0  │
│ 1:M 20 Sep 2024 15:32:49.009 * 1 changes in 3600 seconds. Saving...                                                                                     │
│ 1:M 20 Sep 2024 15:32:49.010 * Background saving started by pid 123452                                                                                  │
│ 123452:C 20 Sep 2024 15:32:49.011 # Failed opening the temp RDB file temp-123452.rdb (in server root dir /data) for saving: Permission denied           │
│ 1:M 20 Sep 2024 15:32:49.111 # Background saving error                                                                                                  │
│ 1:M 20 Sep 2024 15:32:50.519 . 6 clients connected (0 replicas), 1060744 bytes in use                                                                   │
│ 1:M 20 Sep 2024 15:32:55.056 * 1 changes in 3600 seconds. Saving...                                                                                     │
│ 1:M 20 Sep 2024 15:32:55.056 * Background saving started by pid 123453                                                                                  │
│ 123453:C 20 Sep 2024 15:32:55.057 # Failed opening the temp RDB file temp-123453.rdb (in server root dir /data) for saving: Permission denied           │
│ 1:M 20 Sep 2024 15:32:55.157 # Background saving error

Expected behavior

  • This new version of Connaisseur uses redis caching. We were using chart version 2.0 application version 3.0.0 which did not have redis. The expectation is that for the new versions with redis, the logs will be clean without errors.

Optional: To reproduce

To reproduce, install Connaisseur application version 3.6.1 and chart version 2.6.1 on AWS EKS v1.30 **Optional: Versions (please complete the following information as relevant):** - OS: Amazon Linux - Kubernetes Cluster: EKS 1.30 - Notary Server: - Container registry: containerd - Connaisseur: chart 2.6.1 application 3.6.1 - Other: **Optional: Additional context** * Using the default values for Connaisseur application version 3.6.1 and chart version 2.6.1 results in the redis log errors * To try resolve the failure in the logs`Failed opening the temp RDB file temp-123086.rdb (in server root dir /data) for saving: Permission denied ` , we also tried adding below to `values.yaml` in order for redis not to run under restricted security context. This also didnt work ``` redis: securityContext: {} ```
edison-vflow commented 2 hours ago

cc @phbelitz @chrysogonus