I just noticed the official postgres docker images having a hard time when used in kubernetes pods in case that very kubernetes cluster is secured with pod security policies.
This took me a while to figure out. Just trying to instantiate a vanilla postgres pod would result in variations of permission denials.
So this is what needs to be done:
- Patch the postgres container entry point to not mkdirs and chowns (especially remove the $PGDFLT shit)
- If you actually use a persistent volume to contain the data directory, you have to use an init container to set the permissions right (UID/GID 999), like in this somewhat simplified example:
... spec: initContainers: - name: init-0 image: busybox command: - /bin/chown - -R - '999' - "$PGDATA" volumeMounts: - name: persistent-volume mountPath: "$PGDATA" ... - If the data directory resides inside the container AUFS, choose a different location for it – especially something other than /var/something/… (as kubernetes does untimely volume initialization patterns below /var) and point $PGDATA there. Create that directory at build time and give it the proper permissions (for UID/GID 999)
Finally, add a security context for the pod to let the container processes run with the postgres user (which will skip the defunct user switch in the entry point)
TL;DR
Allright, here’s everything bound together for maximum convenience, for details check out the git repository :
apiVersion: apps/v1
kind: Deployment
metadata:
name: db
spec:
selector:
matchLabels:
app.kubernetes.io/component: postgres
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/component: postgres
spec:
securityContext:
runAsUser: 999
containers:
- image: zerofudge/postgres:9.6
name: db
ports:
- containerPort: 5432
Happy kubernauting!! 🙂
/kthxbye
fudge's secret reading corner 