You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the feature you'd like to have.
It should be possible to run the syncthing mover both with its current elevated permissions as well as with normal user permissions
What is the value to the end user? (why is it a priority?)
Running as a normal user is sufficient for typical replication scenarios, and it improves the security of the cluster by not running Pods w/ elevated permissions in the user's Namespace.
How will we know we have a good solution? (acceptance criteria)
Special attention to the syncthing config volume may be necessary. In the case of OpenShift, the PVC will be automatically made accessible to the mover pod, but in vanilla kube, explicit setting of fsGroup or supplementalGroups may be necessary. (This will also need to be resolved for restic as a part of Restic: enable reduced mover permissions #367)
The text was updated successfully, but these errors were encountered:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Describe the feature you'd like to have.
It should be possible to run the syncthing mover both with its current elevated permissions as well as with normal user permissions
What is the value to the end user? (why is it a priority?)
Running as a normal user is sufficient for typical replication scenarios, and it improves the security of the cluster by not running Pods w/ elevated permissions in the user's Namespace.
How will we know we have a good solution? (acceptance criteria)
Additional context
fsGroup
orsupplementalGroups
may be necessary. (This will also need to be resolved for restic as a part of Restic: enable reduced mover permissions #367)The text was updated successfully, but these errors were encountered: