Skip to content

Commit

Permalink
Add an initContainer to the nginx-php-persistent deployment
Browse files Browse the repository at this point in the history
This initContainer ensures RWX storage has permissions compatible
with the pod securityContext.

This will:

1. Match the permissions set by all the above StorageClass drivers on the root of the volume.
2. Give the new non-root pod `securityContext` `g+rw` access to all files, and `g+x` on directories.
  • Loading branch information
smlx committed Feb 5, 2021
1 parent 679f2dd commit c59d994
Showing 1 changed file with 23 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -34,6 +34,29 @@ spec:
enableServiceLinks: false
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
# This initContainer sets permissions on the RWX storage compatible with
# the pod securityContext.
initContainers:
- command:
- sh
- -c
- |
set -e
SENTINEL="/storage/.lagoon-rootless-migration-complete"
if ! [ -f "$SENTINEL" ]; then
find /storage -mindepth 1 -exec chgrp $(stat -c "%g" /storage) {} +
find /storage -mindepth 1 -exec chmod g+rw {} +
find /storage -mindepth 1 -type d -exec chmod g+x {} +
fi
touch "$SENTINEL"
image: busybox:musl
imagePullPolicy: IfNotPresent
name: fix-storage-permissions
securityContext:
runAsUser: 0
volumeMounts:
- mountPath: /storage
name: {{ include "nginx-php-persistent.persistentStorageName" . }}
containers:
- image: {{ .Values.images.nginx | quote }}
name: "nginx"

0 comments on commit c59d994

Please sign in to comment.