Canonical Juju

fsGroup unsettable in juju k8s

Bug #1909153 reported by Tom Barber on 2020-12-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Invalid	High	Unassigned

Bug Description

As discussed here: https://discourse.charmhub.io/t/pvc-write-permissions/3950

It appears that we can't set the fsGroup at the correct level to allow write permissions for non-root containers on kubernetes deployments with slightly more restrictive PVC implementations.

        spec = {
            "version": 3,
            "kubernetesResources":{
                "pod":{
                    "securityContext":{
                        "fsGroup": 1001,
                        "runAsUser": 1001,
                        "runAsGroup":1001,
                    }
                }
            },
            "containers": [
                {
                    "name": self.app.name,
                    "imageDetails": image_details,
                    "imagePullPolicy": "Always",
                    "ports": ports,
                },
            ],
        }

Settings like this securityContext should end up in the pods but do not get set and so we can't write to the PVC's using non-root containers.

See original description

Tom Barber (spicule) on 2020-12-23

description:

updated

Revision history for this message

Pen Gale (pengale) wrote on 2021-01-04:

Confirming and dropping into the 3.0.0 milestone, as part of the work we're doing to support more k8s substrates this cycle.

Changed in juju:
status:	New → Triaged
importance:	Undecided → High
milestone:	none → 3.0.0

Revision history for this message

Ian Booth (wallyworld) wrote on 2021-01-05:

As per discussion here

https://discourse.charmhub.io/t/pvc-write-permissions/3950/17

I have tried to reproduce with a hacked up mariadb-k8s charm and things appear to be as expected.
Is there a charm that can be shared to reproduce the issue?

Changed in juju:
milestone:	3.0.0 → 2.8.8
status:	Triaged → Incomplete

Revision history for this message

Tom Barber (spicule) wrote on 2021-01-05:

https://gitlab.com/spiculedata/juju/solr-k8s-charm/-/blob/master/src/charm.py#L73-90

Charms here, as pointed out in the forum post, re-tested it, outside of commenting out some dodgy test code, nothing has changed, but same error persists.

Could be me, but I can't see anything obvious.

juju model version 2.8.7

Revision history for this message

Ian Booth (wallyworld) wrote on 2021-01-06:

As per https://discourse.charmhub.io/t/pvc-write-permissions/3950/22 the issue was with the pod spec being sent in not quite being structured correctly.

Changed in juju:
status:	Incomplete → Invalid
milestone:	2.8.8 → none

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.