Align shared PVC writers via fsGroup 2000 and umask 002#400
Merged
Conversation
The agent (UID 999), shared-cleanup cronjob (UID 0), and ephemeral script pods (UID 1000) all mount /rockbot/shared but had no shared group, so each writer's dirs (mode 755) blocked the others. Script pods couldn't mkdir inside attachments/, which broke the morning brief's Teams-bridge triage this morning with PermissionError on /rockbot/shared/attachments/... - Add shared.fsGroup (default 2000) to values.yaml - Apply pod-level securityContext.fsGroup on agent deployment and cleanup cronjob templates - Plumb FsGroup through ContainerScriptOptions and the configmap so the agent stamps the same fsGroup on script pods it creates - Prefix the script pod sh command with 'umask 002 &&' so new files and dirs are group-writable; combined with setgid (from fsGroup), the three writers can now read, write, and delete each other's artifacts Bumps agent to 0.10.61 and chart to 0.10.16. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/rockbot/shared— agent (UID 999), shared-cleanup cronjob (UID 0), ephemeral script pods (UID 1000) — under a commonfsGroup(2000), so each can read/write/delete the others' filesumask 002so new dirs/files are group-writable (combined with setgid from fsGroup, the agent can later clean up script-pod artifacts)Why
Morning brief on 2026-05-12 failed when a subagent's
execute_python_scripttriedos.makedirs('/rockbot/shared/attachments/teams-bridge-triage-2026-05-12')and gotPermissionError: [Errno 13]. Root cause:/rockbot/shared/attachmentswasdrwxr-xr-x 999:999and the script pod runs as UID 1000 — three writers, three UIDs, no shared group bit. Already verified live in the cluster; this PR commits what was deployed.Test plan
helm templaterendersfsGroup: 2000on agent deployment, cleanup cronjob, and configmap (Scripts__Container__FsGroup)dotnet test tests/RockBot.Scripts.Tests— 46 pass, 0 fail (existingContainsassertions unaffected by theumask 002 &&prefix)rockbot/default); agent pod'sspec.securityContext.fsGroup = 2000, supplementary groups include 2000runAsUser:1000, fsGroup:2000) successfully created/rockbot/shared/attachments/teams-bridge-triage-smoke-test/hello.txt— the exact failing path from this morningdrwxrwsr-x 1000:2000(mode 2775), and agent pod (UID 999, group 2000) canrm -rfthem🤖 Generated with Claude Code