summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBruno Sakoto <bruno.sakoto@bell.ca>2021-09-15 18:30:20 -0400
committerBruno Sakoto <bruno.sakoto@bell.ca>2021-09-30 22:57:24 -0400
commitd0fa8cf57eaac53f723c0ca8399f58b55655ea6f (patch)
treecda6deb2e774ae1f65b7b667b8456ae3d27e3dd4
parenta001a61bdd6430027b39281f9d79366e837c7494 (diff)
[COMMON] Run timescale with postgres user
Timescale container is ran with postgres user and group which are defined with uid 70 and gid 70. Data volume owner is changed for postgres. See also: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ Issue-ID: CPS-667 Signed-off-by: Bruno Sakoto <bruno.sakoto@bell.ca> Change-Id: Ia87922ba68bb47a7a07aaf61f368143d970278b6
-rw-r--r--kubernetes/common/timescaledb/templates/statefulset.yaml12
-rw-r--r--kubernetes/common/timescaledb/values.yaml6
2 files changed, 16 insertions, 2 deletions
diff --git a/kubernetes/common/timescaledb/templates/statefulset.yaml b/kubernetes/common/timescaledb/templates/statefulset.yaml
index 9b63de434d..435c925eb2 100644
--- a/kubernetes/common/timescaledb/templates/statefulset.yaml
+++ b/kubernetes/common/timescaledb/templates/statefulset.yaml
@@ -31,6 +31,18 @@ spec:
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
+ initContainers:
+ - name: chowm-mount-path
+ command:
+ - /bin/sh
+ args:
+ - -c
+ - chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }} /var/lib/postgresql/data
+ image: {{ include "repositoryGenerator.image.busybox" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ volumeMounts:
+ - mountPath: /var/lib/postgresql/data
+ name: {{ include "common.fullname" . }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}
diff --git a/kubernetes/common/timescaledb/values.yaml b/kubernetes/common/timescaledb/values.yaml
index b6d2face3a..55acd92847 100644
--- a/kubernetes/common/timescaledb/values.yaml
+++ b/kubernetes/common/timescaledb/values.yaml
@@ -40,13 +40,15 @@ serviceAccount:
podSecurityContext: {}
# fsGroup: 2000
-securityContext: {}
+securityContext:
+ # Uid and gid to run the entrypoint of the container process (uid 70 is postgres user and gid 70 is postgres group)
+ runAsUser: 70
+ runAsGroup: 70
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
- # runAsUser: 1000
resources:
# We usually recommend not to specify default resources and to leave this as a conscious