Details
-
Improvement
-
Resolution: Fixed
-
Critical
-
2.0.0, 2.0.1
-
35: Metering, Bugs, Etc., 37: Hibernation, Backup, Prom.
-
3
Description
A user may wish to configure their Couchbase Server pods to run as a specific user using a security context, which is how you also define the fsgroup.
We allow users to specify this as part of https://docs.couchbase.com/operator/2.0/reference-couchbasecluster.html#spec-securitycontext which is passed directly down to the underlying Couchbase Server pods when creating in Kubernetes.
There is not a way to specify the same security context for the backup job pods, as we only extract the fsgroup - https://github.com/couchbase/couchbase-operator/blob/9f6a53fa2c83ebc9669168fd1692ec479be0b89a/pkg/cluster/backup.go#L187-L189.
This prevents deployment of the backup jobs in environments where runAsNonRoot is enforced (most secure environments) through pod security policies (https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups), due to the following error:
Error: container has runAsNonRoot and image has non-numeric user (couchbase), cannot verify user is non-root
|
Being able to specify the UID of 1000 in the pod security context for the backup would fix that issue.
Attachments
| For Gerrit Dashboard: K8S-1541 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 135984,14 | K8S-1541: Allow Backup Security Context | master | couchbase-operator | Status: MERGED | +2 | +1 |