I just noticed the official postgres docker images having a hard time when used in kubernetes pods in case that very kubernetes cluster is secured with pod security policies.
This took me a while to figure out. Just trying to instantiate a vanilla postgres pod would result in variations of permission denials.
So this is what needs to be done:
- Patch the postgres container entry point to not mkdirs and chowns (especially remove the $PGDFLT shit)
- If you actually use a persistent volume to contain the data directory, you have to use an init container to set the permissions right (UID/GID 999), like in this somewhat simplified example:
... spec: initContainers: - name: init-0 image: busybox command: - /bin/chown - -R - '999' - "$PGDATA" volumeMounts: - name: persistent-volume mountPath: "$PGDATA" ...
- If the data directory resides inside the container AUFS, choose a different location for it – especially something other than /var/something/… (as kubernetes does untimely volume initialization patterns below /var) and point $PGDATA there. Create that directory at build time and give it the proper permissions (for UID/GID 999)
Finally, add a security context for the pod to let the container processes run with the postgres user (which will skip the defunct user switch in the entry point)
TL;DR
Allright, here’s everything bound together for maximum convenience, for details check out the git repository :
apiVersion: apps/v1 kind: Deployment metadata: name: db spec: selector: matchLabels: app.kubernetes.io/component: postgres replicas: 1 strategy: type: Recreate template: metadata: labels: app.kubernetes.io/component: postgres spec: securityContext: runAsUser: 999 containers: - image: zerofudge/postgres:9.6 name: db ports: - containerPort: 5432
Happy kubernauting!! 🙂
/kthxbye