Configure Minio to run as non-root user (!195) · Merge requests · GitLab.org / charts / GitLab Chart

Jason Plum requested to merge 268-minio-run-as-non-root into master Mar 28, 2018

Two changes occur here:

Addition of securityContext to the Pod
- This sets the running user to 1000, which is not required to exist inside the container.
- Sets the fsGroup to 1000, which k8s will automatically ensure that the Pod's PV contents are automatically chown 1000:1000
- The combination of the two lets us run as non-root, with file permissions automatically handled.
Modification of the default value when minio.configPath is not provided (default from values.yaml`
- Here, we set this to /tmp/.minio in place of /root/.minio. This relies on the standard behaviors of the filesystems, which sets /tmp as accessible for all users.

Upside of this approach:

minimal modifications compared to the upstream charts. Easier to maintain the fork.
No need for alterations to the container image in use. Less items to maintain overall.

Edited Mar 28, 2018 by Jason Plum

Configure Minio to run as non-root user