Skip to content

fix: init pod run perms #161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 18, 2025
Merged

fix: init pod run perms #161

merged 1 commit into from
Sep 18, 2025

Conversation

rhdedgar
Copy link
Collaborator

Setting FSGroup to convey the need for a more permissive scc.

Closes RHAIENG-999.

@rhdedgar
Copy link
Collaborator Author

It's possible the RunAsUser setting could even be removed in the future, as the FSGroup: 0 setting should provide the necessary volume access.

@derekhiggins
Copy link
Collaborator

So we're dropping some privileges from the init container while mounting storage in as the 'root' group so that containers can always write to volumes?

Would you mind putting a little context on why this is needed in here (as not everybody can see what RHAIENG-999 is )

@rhdedgar
Copy link
Collaborator Author

Sure! So from the ticket, setting storage to something like:

    storage:
      size: 10Gi

Can cause the permissions error:
forbidden: unable to validate against any security context constraint

I was able to replicate that error on an OpenShift 4.18 cluster.

I've updated the FSGroup to match the container's existing RunAsUser and RunAsGroup settings to address that security discrepancy.

I also dropped the additional unneeded capabilities that would normally be given to pods that aren't run as restricted-v2, so that this fix doesn't grant more than it needs to.

derekhiggins
derekhiggins approved these changes Sep 18, 2025
View reviewed changes
Copy link
Collaborator

@derekhiggins derekhiggins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@rhdedgar
fix: init pod run perms
9247110 
Signed-off-by: Doug Edgar <[email protected]>
@rhdedgar rhdedgar merged commit c1f55f4 into llamastack:main Sep 18, 2025
6 checks passed
VaishnaviHire pushed a commit to VaishnaviHire/llama-stack-k8s-operator that referenced this pull request Sep 25, 2025
@rhdedgar @VaishnaviHire
fix: init pod run perms (llamastack#161)
3c5e60b 
Setting FSGroup to convey the need for a more permissive scc.

Closes RHAIENG-999.

Signed-off-by: Doug Edgar <[email protected]>

Approved by: Derek Higgins <[email protected]>

(cherry picked from commit c1f55f4)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derekhiggins derekhiggins derekhiggins approved these changes

@cdoern cdoern Awaiting requested review from cdoern cdoern is a code owner

@leseb leseb Awaiting requested review from leseb leseb is a code owner

@mfleader mfleader Awaiting requested review from mfleader mfleader is a code owner

@nathan-weinberg nathan-weinberg Awaiting requested review from nathan-weinberg nathan-weinberg is a code owner

@rhuss rhuss Awaiting requested review from rhuss rhuss is a code owner

@VaishnaviHire VaishnaviHire Awaiting requested review from VaishnaviHire VaishnaviHire is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rhdedgar @derekhiggins