Allow to set gitaly fsGroupChangePolicy setting
Summary
When using Gitaly in a kubernetes environment, the combination of securitycontext.fsgroup being set and having a large number of files results in painfully slow time for the kubelet to run a recursive chown on the contents of the persistent volume.
Steps to reproduce
- Add a large amount of small files in a gitaly persistent volume (In my case, I am at 200GB of total data)
- Try restarting the Gitaly statefulset
Configuration used
We are using the default Gitaly configuration for securitycontext.
Current behavior
The Kubelet trys to mount the volume to the container, but continually times out while the recursive chown operation runs.
Expected behavior
The volume should mount without conducting a recursive chown operation. There is a feature available in Kubernetes 1.23 to do this (fsGroupChangePolicy: "OnRootMismatch") : https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods.
We need to be able to set the fsGroupChangePolicy
.
Versions
- Chart: 6.1.6
- Platform:
- Self-hosted
- Kubernetes: (
kubectl version
)- Client 1.24.2
- Server: 1.23.7
- Helm: (
helm version
)- Client: 3.8.1