Configure Minio to run as non-root user
Two changes occur here:
- Addition of
securityContext
to thePod
- This sets the running user to
1000
, which is not required to exist inside the container. - Sets the
fsGroup
to1000
, which k8s will automatically ensure that the Pod's PV contents are automaticallychown 1000:1000
- The combination of the two lets us run as non-root, with file permissions automatically handled.
- This sets the running user to
- Modification of the default value when
minio.configPath
is not provided (default from values.yaml`- Here, we set this to
/tmp/.minio
in place of/root/.minio
. This relies on the standard behaviors of the filesystems, which sets/tmp
as accessible for all users.
- Here, we set this to
Upside of this approach:
- minimal modifications compared to the upstream charts. Easier to maintain the fork.
- No need for alterations to the container image in use. Less items to maintain overall.
Closes #268 (closed)
Edited by Jason Plum