Skip to content

Allow to set gitaly fsGroupChangePolicy setting

Summary

When using Gitaly in a kubernetes environment, the combination of securitycontext.fsgroup being set and having a large number of files results in painfully slow time for the kubelet to run a recursive chown on the contents of the persistent volume.

Steps to reproduce

  1. Add a large amount of small files in a gitaly persistent volume (In my case, I am at 200GB of total data)
  2. Try restarting the Gitaly statefulset

Configuration used

We are using the default Gitaly configuration for securitycontext.

Current behavior

The Kubelet trys to mount the volume to the container, but continually times out while the recursive chown operation runs.

Expected behavior

The volume should mount without conducting a recursive chown operation. There is a feature available in Kubernetes 1.23 to do this (fsGroupChangePolicy: "OnRootMismatch") : https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods.

We need to be able to set the fsGroupChangePolicy.

Versions

  • Chart: 6.1.6
  • Platform:
    • Self-hosted
  • Kubernetes: (kubectl version)
    • Client 1.24.2
    • Server: 1.23.7
  • Helm: (helm version)
    • Client: 3.8.1

Relevant logs