michael_dileo/Keybard-Vagabond-Demo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

remove chown so that fsgroup can be applied to the security context

Browse Source
This commit is contained in:
Michael DiLeo
2026-01-14 22:59:28 +02:00
parent 43fc195249
commit 6bef6b3b6a
3 changed files with 236 additions and 229 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
build/piefed/piefed-base/Dockerfile
View File

@@ -60,11 +60,14 @@ RUN apk add --no-cache \
bash bash
# Create piefed user and set up directories in a single layer # Create piefed user and set up directories in a single layer
# Note: /app/app/static/media is volume-mounted in K8s, fsGroup handles permissions there
# Other directories need explicit ownership for logging and temp files
RUN addgroup -g 1000 piefed \ RUN addgroup -g 1000 piefed \
&& adduser -u 1000 -G piefed -s /bin/sh -D piefed \ && adduser -u 1000 -G piefed -s /bin/sh -D piefed \
&& mkdir -p /app/logs /app/app/static/tmp /app/app/static/media \ && mkdir -p /app/logs /app/app/static/tmp /app/app/static/media \
/var/log/piefed /var/run/piefed \ /var/log/piefed /var/run/piefed \
&& chown -R piefed:piefed /var/log/piefed /var/run/piefed && chown -R piefed:piefed /app/logs /app/app/static/tmp \
/var/log/piefed /var/run/piefed
# Set working directory # Set working directory
WORKDIR /app WORKDIR /app
@@ -75,7 +78,7 @@ COPY --from=builder --chown=piefed:piefed /app /app
# Compile translations and set permissions in a single layer # Compile translations and set permissions in a single layer
RUN source /app/venv/bin/activate \ RUN source /app/venv/bin/activate \
&& (pybabel compile -d app/translations || true) \ && (pybabel compile -d app/translations || true) \
&& chmod 755 /app/logs /app/app/static/tmp /app/app/static/media && chmod 755 /app/logs /app/app/static/tmp
# Copy shared entrypoint utilities # Copy shared entrypoint utilities
COPY entrypoint-common.sh /usr/local/bin/entrypoint-common.sh COPY entrypoint-common.sh /usr/local/bin/entrypoint-common.sh

6
manifests/applications/piefed/deployment-web.yaml
View File

@@ -20,6 +20,8 @@ spec:
app.kubernetes.io/component: web app.kubernetes.io/component: web
spec: spec:
serviceAccountName: piefed-init-checker serviceAccountName: piefed-init-checker
securityContext:
fsGroup: 1000 # piefed group - ensures volume mounts are writable
imagePullSecrets: imagePullSecrets:
- name: harbor-pull-secret - name: harbor-pull-secret
initContainers: initContainers:
@@ -67,7 +69,7 @@ spec:
echo "✓ Migrations complete, starting web pod..." echo "✓ Migrations complete, starting web pod..."
containers: containers:
- name: piefed-web - name: piefed-web
image: <YOUR_REGISTRY_URL>/library/piefed-web:latest image: registry.keyboardvagabond.com/library/piefed-web:latest
imagePullPolicy: Always imagePullPolicy: Always
ports: ports:
- containerPort: 80 - containerPort: 80
@@ -146,4 +148,4 @@ spec:
name: memory name: memory
target: target:
type: Utilization type: Utilization
averageUtilization: 90 averageUtilization: 200 #3GB of the 4 available

4
manifests/applications/piefed/deployment-worker.yaml
View File

@@ -20,6 +20,8 @@ spec:
app.kubernetes.io/component: worker app.kubernetes.io/component: worker
spec: spec:
serviceAccountName: piefed-init-checker serviceAccountName: piefed-init-checker
securityContext:
fsGroup: 1000 # piefed group - ensures volume mounts are writable
imagePullSecrets: imagePullSecrets:
- name: harbor-pull-secret - name: harbor-pull-secret
initContainers: initContainers:
@@ -67,7 +69,7 @@ spec:
echo "✓ Migrations complete, starting worker pod..." echo "✓ Migrations complete, starting worker pod..."
containers: containers:
- name: piefed-worker - name: piefed-worker
image: <YOUR_REGISTRY_URL>/library/piefed-worker:latest image: registry.keyboardvagabond.com/library/piefed-worker:latest
imagePullPolicy: Always imagePullPolicy: Always
envFrom: envFrom:
- configMapRef: - configMapRef: