-
Notifications
You must be signed in to change notification settings - Fork 137
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Removed unnecessary change of group ownership in chmod initContainer #486
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an init container which applies chown one time only, any new pods created after that won't get the right owner flags.
I don't think we can apply this change |
right! I'll close the PR |
splunk-otel-collector-chart/helm-charts/splunk-otel-collector/templates/daemonset.yaml Lines 147 to 149 in d104bb8
Is there any specific reason we need to change the group of all files inside the container directory? |
I'm not sure. @rockb1017, who introduced this, maybe can answer. Feel free to play with this and see if it's really required |
I tested these changes in minikube, EKS and AKS. It is working there. In there,
For some reason, it is not working in openshift(cri).
EDIT: Same behaviour is mentioned here https://github.com/signalfx/splunk-otel-collector-chart/blob/main/docs/advanced-configuration.md#running-the-container-in-non-root-user-mode |
Instead of modifying permissions of the entire pod/container directory, modify only logs file.
@harshit-splunk does it break this functionality openshift? |
it doesn't work with the current implementation either for openshift. It only gives read access to existing pod files. Agent will not have read access to newly created pods. |
Sounds good. @harshit-splunk can you please make the statement that it doesn't work in cri-o more clear here, not just didn't work during testing |
Instead of modifying permissions of the entire pod/container directory, modify only logs file.A file access control list (ACL) can provide permissions to a specific user or group without modifying the user/group owner of the file.
So, there is no need to change the group owner here:
splunk-otel-collector-chart/helm-charts/splunk-otel-collector/templates/daemonset.yaml
Lines 147 to 149 in f5f6df8