harbor: k8s updates break Harbor Helm deployments
The k8s security update 1.7.14, 1.8.9, and 1.9.4 make configMaps readonly by default: CHANGELOG-1.7.md
Changes secret, configMap, downwardAPI and projected volumes to mount read-only, instead of allowing applications to write data and then reverting it automatically. Until version 1.11, setting the feature gate ReadOnlyAPIDataVolumes=false will preserve the old behavior. (#58720, @joelsmith)
This breaks the Registry and Clair deployments which try to chown the configMap mounted config files on startup, resulting in a crash loop. Logs from Clair:
chown: changing ownership of '/config/config.yaml': Read-only file system
Clair Entrypoint = docker-entrypoint.sh:
#!/bin/bash
set -e
chown -R 10000:10000 /config
sudo -E -H -u \#10000 sh -c "/dumb-init -- /clair2.0.1/clair -config /config/config.yaml"
set +e
Kubernetes version 1.9.5 Helm version 2.8.1
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 9
- Comments: 16 (9 by maintainers)
Commits related to this issue
- Do not run `chown` to config files As described in #4496, a recent security enhancement in kubernetes mount configMap volume as readonly. This commit make necessary update to the entry points scripts... — committed to reasonerjt/harbor by reasonerjt 6 years ago
- Do not run `chown` to config files As described in #4496, a recent security enhancement in kubernetes mount configMap volume as readonly. This commit make necessary update to the entry points script... — committed to reasonerjt/harbor by reasonerjt 6 years ago
- Do not call `chown` to config files This commit fixes a recently discovered issue on Kubernetes #4496 It make necessary to avoid calling `chown` to config files during the bootstrap of the containers... — committed to reasonerjt/harbor by reasonerjt 6 years ago
- Do not call `chown` to config files This commit fixes a recently discovered issue on Kubernetes #4496 It make necessary to avoid calling `chown` to config files during the bootstrap of the containers... — committed to reasonerjt/harbor by reasonerjt 6 years ago
- Do not call `chown` to config files This commit fixes a recently discovered issue on Kubernetes #4496 It make necessary to avoid calling `chown` to config files during the bootstrap of the containers... — committed to reasonerjt/harbor by reasonerjt 6 years ago
- Do not call `chown` to config files This commit fixes a recently discovered issue on Kubernetes #4496 It make necessary to avoid calling `chown` to config files during the bootstrap of the containers... — committed to reasonerjt/harbor by reasonerjt 6 years ago
- Do not call `chown` to config files This commit fixes a recently discovered issue on Kubernetes #4496 It make necessary to avoid calling `chown` to config files during the bootstrap of the containers... — committed to reasonerjt/harbor by reasonerjt 6 years ago
- Do not call `chown` to config files This commit fixes a recently discovered issue on Kubernetes #4496 It make necessary to avoid calling `chown` to config files during the bootstrap of the containers... — committed to reasonerjt/harbor by reasonerjt 6 years ago
- Do not call `chown` to config files This commit fixes a recently discovered issue on Kubernetes #4496 It make necessary to avoid calling `chown` to config files during the bootstrap of the containers... — committed to reasonerjt/harbor by reasonerjt 6 years ago
- Bump helm chart to 1.5 Update the helm chart of Harbor to use 1.5 image. Specifically `1.5.0-chart-patch` to include the fix to #4496 (for integration reason this fix will not be merge to release br... — committed to reasonerjt/harbor by reasonerjt 6 years ago
- Bump helm chart to 1.5 Update the helm chart of Harbor to use 1.5 image. Specifically `1.5.0-chart-patch` to include the fix to #4496 (for integration reason this fix will not be merge to release br... — committed to reasonerjt/harbor by reasonerjt 6 years ago
- Bump helm chart to 1.5 Update the helm chart of Harbor to use 1.5 image. Specifically `1.5.0-chart-patch` to include the fix to #4496 (for integration reason this fix will not be merge to release br... — committed to reasonerjt/harbor by reasonerjt 6 years ago
- Make Helm Chart support Harbor 1.5.0 Update the helm chart of Harbor to use 1.5 image. Specifically `1.5.0-chart-patch` to include the fix to #4496 (for integration reason this fix will not be merge... — committed to reasonerjt/harbor by reasonerjt 6 years ago
Fixed in master branch. Leave open until it’s integrated into the helm chart.
Having just hit this issue trying to move to a new K8S 1.10.3 cluster I thought i’d note that this issue also affects 1.10 in the same way and that from 1.11 onwards it cannot be disabled with the feature gate