Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add securityContext at spec level #111

Closed
pidge-raman opened this issue May 7, 2024 · 1 comment · Fixed by #141
Closed

Add securityContext at spec level #111

pidge-raman opened this issue May 7, 2024 · 1 comment · Fixed by #141

Comments

@pidge-raman
Copy link

When mounting extra volumes for plugins or h2 database volume. In order to make sure the metabase has the permission to access these volume we need to set security context with fsGroup with respective group for the metabase user which we can set using enviroment variable like MUID and MGID.

Sample Deployement yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: metabase
    app.kubernetes.io/instance: metabase
    chart: metabase-2.14.4
    heritage: Helm
    release: metabase
  name: metabase
  namespace: metabase
spec:
  replicas: 1
  selector:
    matchLabels:
      app: metabase
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: metabase
        release: metabase
    spec:
      containers:
        - env:
            - name: MB_JETTY_HOST
              value: 0.0.0.0
            - name: MB_JETTY_PORT
              value: '3000'
            - name: MB_DB_TYPE
              value: h2
            - name: MB_DB_FILE
              value: /db/metabase.db
            - name: MB_ENCRYPTION_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  key: ENCRYPTION_KEY
                  name: metabase-db
            - name: MB_PASSWORD_COMPLEXITY
              value: normal
            - name: MB_PASSWORD_LENGTH
              value: '6'
            - name: JAVA_TIMEZONE
              value: UTC
            - name: MB_PLUGINS_DIR
              value: /plugins
            - name: MB_EMOJI_IN_LOGS
              value: 'true'
            - name: MB_COLORIZE_LOGS
              value: 'true'
            - name: MUID
              value: '1099'
            - name: MGID
              value: '10999'
          image: 'metabase/metabase:v0.49.8'
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 6
            httpGet:
              path: /api/health
              port: 3000
              scheme: HTTP
            initialDelaySeconds: 120
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 30
          name: metabase
          ports:
            - containerPort: 3000
              protocol: TCP
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /api/health
              port: 3000
              scheme: HTTP
            initialDelaySeconds: 30
            periodSeconds: 5
            successThreshold: 1
            timeoutSeconds: 3
          resources: {}
          securityContext:
            runAsGroup: 1099
            runAsUser: 1099
          volumeMounts:
            - mountPath: /db
              name: db
            - mountPath: /plugins
              name: plugins
      restartPolicy: Always
      securityContext:
        fsGroup: 1099
      serviceAccount: metabase
      serviceAccountName: metabase
      volumes:
        - name: db
          persistentVolumeClaim:
            claimName: metabase-db
        - name: plugins
          persistentVolumeClaim:
            claimName: metabase-plugins
@lhoss
Copy link

lhoss commented Aug 13, 2024

will need this feature too (planning to use this helm chart in a gov project running containers on OpenShift)

@pmint93 pmint93 linked a pull request Nov 19, 2024 that will close this issue
@pmint93 pmint93 closed this as completed Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants