Don't run restoreagent as root #139
Comments
|
We have the same issue when we try to run the operator - not only the restoreagent - as a non-root user, we can not set the security context (runAsUser,fsGroup) for the replicaSet. I had a quick at the source code and seems like it's doable to implement it. @JamesLaverack as you are part of improbable-eng Are there plans at improbable-eng to correct it? |
|
Hi @stafwag-idirect. To clarify, I'm not a member of Improbable but I am one of the authors of this operator. I can't speak to Improbable's ongoing intent. @adamhosier and @cheahjs might have more insight there. We don't have any particular SLA on responding to comments and pull requests, but I can take a look at this when I get chance. I agree that it should be pretty straightforward to implement though. :) |
Currently the restoreagent executes as root in a pod. The etcd pod, which runs as root, expects the data directory to be owned by
root:root. So the restore agent must be able to write to the PVC asroot:root.Ideally Kubernetes features such as
fsGroupshould be used to remove this requirement and run the restore agent asnonroot.The text was updated successfully, but these errors were encountered: