Timescale container is ran with postgres user and group which are
defined with uid 70 and gid 70.
Data volume owner is changed for postgres.
See also:
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
Issue-ID: CPS-667
Signed-off-by: Bruno Sakoto <bruno.sakoto@bell.ca>
Change-Id: Ia87922ba68bb47a7a07aaf61f368143d970278b6
serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
+ initContainers:
+ - name: chowm-mount-path
+ command:
+ - /bin/sh
+ args:
+ - -c
+ - chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }} /var/lib/postgresql/data
+ image: {{ include "repositoryGenerator.image.busybox" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ volumeMounts:
+ - mountPath: /var/lib/postgresql/data
+ name: {{ include "common.fullname" . }}
containers:
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}
podSecurityContext: {}
# fsGroup: 2000
-securityContext: {}
+securityContext:
+ # Uid and gid to run the entrypoint of the container process (uid 70 is postgres user and gid 70 is postgres group)
+ runAsUser: 70
+ runAsGroup: 70
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
- # runAsUser: 1000
resources:
# We usually recommend not to specify default resources and to leave this as a conscious