From 1867b851101409f140aaa62e940f87cd9f0e4f0a Mon Sep 17 00:00:00 2001 From: Aaron Spettl Date: Fri, 1 May 2020 12:03:54 +0200 Subject: [PATCH] Set securityContext for deployer and ui When pod security policies are used, the default restricted policy does not allow root permissions. Even when a more permissive policy is assigned to the service account, we need to inform k8s that we need root permissions so that the correct policy can be selected. Signed-off-by: Aaron Spettl --- chart/templates/deployment-driver.yaml | 2 ++ chart/templates/deployment-ui.yaml | 2 ++ deploy/longhorn.yaml | 4 ++++ 3 files changed, 8 insertions(+) diff --git a/chart/templates/deployment-driver.yaml b/chart/templates/deployment-driver.yaml index 68e52b1..5a8382d 100644 --- a/chart/templates/deployment-driver.yaml +++ b/chart/templates/deployment-driver.yaml @@ -79,3 +79,5 @@ spec: - name: {{ .Values.defaultSettings.registrySecret }} {{- end }} serviceAccountName: longhorn-service-account + securityContext: + runAsUser: 0 diff --git a/chart/templates/deployment-ui.yaml b/chart/templates/deployment-ui.yaml index 830e966..385cd98 100644 --- a/chart/templates/deployment-ui.yaml +++ b/chart/templates/deployment-ui.yaml @@ -19,6 +19,8 @@ spec: - name: longhorn-ui image: "{{ .Values.image.longhorn.ui }}:{{ .Values.image.longhorn.uiTag }}" imagePullPolicy: Always + securityContext: + runAsUser: 0 ports: - containerPort: 8000 name: http diff --git a/deploy/longhorn.yaml b/deploy/longhorn.yaml index 4ed2f20..5562f01 100644 --- a/deploy/longhorn.yaml +++ b/deploy/longhorn.yaml @@ -348,6 +348,8 @@ spec: - name: longhorn-ui image: longhornio/longhorn-ui:v0.8.1 imagePullPolicy: Always + securityContext: + runAsUser: 0 ports: - containerPort: 8000 name: http @@ -439,6 +441,8 @@ spec: #imagePullSecrets: #- name: serviceAccountName: longhorn-service-account + securityContext: + runAsUser: 0 --- kind: StorageClass apiVersion: storage.k8s.io/v1