I just noticed the official postgres docker images having a hard time when used in kubernetes pods in case that very kubernetes cluster is secured with pod security policies.
This took me a while to figure out. Just trying to instantiate a vanilla postgres pod would result in variations of permission denials.
So this is what needs to be done:
- Patch the postgres container entry point to not mkdirs and chowns (especially remove the $PGDFLT shit)
- If you actually use a persistent volume to contain the data directory, you have to use an init container to set the permissions right (UID/GID 999), like in this somewhat simplified example:
... spec: initContainers: - name: init-0 image: busybox command: - /bin/chown - -R - '999' - "$PGDATA" volumeMounts: - name: persistent-volume mountPath: "$PGDATA" ...
- If the data directory resides inside the container AUFS, choose a different location for it – especially something other than /var/something/… (as kubernetes does untimely volume initialization patterns below /var) and point $PGDATA there. Create that directory at build time and give it the proper permissions (for UID/GID 999)
Finally, add a security context for the pod to let the container processes run with the postgres user (which will skip the defunct user switch in the entry point)
Allright, here’s everything bound together for maximum convenience, for details check out the git repository :
apiVersion: apps/v1 kind: Deployment metadata: name: db spec: selector: matchLabels: app.kubernetes.io/component: postgres replicas: 1 strategy: type: Recreate template: metadata: labels: app.kubernetes.io/component: postgres spec: securityContext: runAsUser: 999 containers: - image: zerofudge/postgres:9.6 name: db ports: - containerPort: 5432
Happy kubernauting!! 🙂