Local PV Hostpath with PodSecurity "baseline:latest" #3831

benjaminpreiss · 2025-01-14T00:57:46Z

benjaminpreiss
Jan 14, 2025

Hey everyone,

Wanted to ask if someone can help me with the minimum adjustments to make Local PV Hostpath work with PodSecurity "baseline:latest".

I am running talosctl v1.9.1 on darwin/arm64.

This is my helmfile:

# ./helmfile

environments:
    default:
        values:
            - ./rustic/values/backups.yaml
    production:
        values:
            - ./rustic/values/backups.yaml
---
# Repositories for Helm charts
repositories:
    - name: openebs
      url: https://openebs.github.io/openebs
    # community version of minio
    - name: minio
      url: https://charts.min.io/

releases:
    - name: openebs
      namespace: openebs
      chart: openebs/openebs
      version: ^4.1.2 # Specify the desired version of OpenEBS
      createNamespace: true
      wait: true
      set:
          - name: engines.replicated.mayastor.enabled
            value: false
    - name: minio-storage
      namespace: minio
      chart: "./minio-storage"
      version: "0.1.0" # Specify the desired version of OpenEBS
      createNamespace: true
      wait: true
    - name: minio
      namespace: minio
      chart: minio/minio
      wait: true
      version: ^5.4.0
      createNamespace: true
      values:
          - service:
                type: NodePort
          - resources:
                requests:
                    memory: 512Mi
          - replicas: 1
          - persistence:
                existingClaim: minio-local-pvc
          - mode: standalone
          - rootUser: rootuser
          - rootPassword: rootpass123

./minio-storage/Chart.yaml:

# ./minio-storage/Chart.yaml

apiVersion: v2
name: minio-storage
description: A helm chart for minio storage claim and class

# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application

# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.0.0"

./minio-storage/templates/pvc.yaml:

# ./minio-storage/templates/pvc.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
    name: minio-local-pvc
spec:
    accessModes:
        - ReadWriteOnce
    resources:
        requests:
            storage: 5Gi
    storageClassName: local-openebs-hostpath-minio

./minio-storage/templates/storage-class.yaml:

#./minio-storage/templates/storage-class.yaml

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
    name: local-openebs-hostpath-minio
    annotations:
        openebs.io/cas-type: local
        cas.openebs.io/config: |
            - name: StorageType
              value: hostpath
            - name: BasePath
              value: /var/local-openebs-hostpath/minio
provisioner: openebs.io/local
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer

Seems that the persistent volume claim can't be provisioned due to baseline PodSecurity - kubectl describe pvc minio-local-pvc -n minio gives:

Name:          minio-local-pvc
Namespace:     minio
StorageClass:  local-openebs-hostpath-minio
Status:        Pending
Volume:        
Labels:        app.kubernetes.io/managed-by=Helm
Annotations:   meta.helm.sh/release-name: minio-storage
               meta.helm.sh/release-namespace: minio
               volume.beta.kubernetes.io/storage-provisioner: openebs.io/local
               volume.kubernetes.io/selected-node: talos-default-worker-1
               volume.kubernetes.io/storage-provisioner: openebs.io/local
Finalizers:    [kubernetes.io/pvc-protection]
Capacity:      
Access Modes:  
VolumeMode:    Filesystem
Used By:       minio-6c5f9bbcdc-txmxj
Events:
  Type     Reason                Age                  From                                                                                                Message
  ----     ------                ----                 ----                                                                                                -------
  Normal   WaitForFirstConsumer  61m                  persistentvolume-controller                                                                         waiting for first consumer to be created before binding
  Normal   ExternalProvisioning  57s (x122 over 61m)  persistentvolume-controller                                                                         Waiting for a volume to be created either by the external provisioner 'openebs.io/local' or manually by the system administrator. If volume creation is delayed, please verify that the provisioner is running and correctly registered.
  Normal   Provisioning          38s (x9 over 61m)    openebs.io/local_openebs-localpv-provisioner-7566df7679-b9lk7_9ac641ff-3707-4354-a52f-7de7f5239180  External provisioner is provisioning volume for claim "minio/minio-local-pvc"
  Warning  ProvisioningFailed    38s (x9 over 61m)    openebs.io/local_openebs-localpv-provisioner-7566df7679-b9lk7_9ac641ff-3707-4354-a52f-7de7f5239180  failed to provision volume with StorageClass "local-openebs-hostpath-minio": pods "init-pvc-712ef265-329a-4a90-9b86-04db61218f45" is forbidden: violates PodSecurity "baseline:latest": hostPath volumes (volumes "data", "dev"), privileged (container "local-path-init" must not set securityContext.privileged=true)