https://cerbos.dev logo
#help
Title
# help
d

Dmitry Meyerson

07/20/2023, 10:14 PM
hello cerbos helpers, thank you for all your help so far, I have been able to experiment with on a local (my laptop k8 cluster) now I’m deploying another kubernetes cluster, and running into issues related to r/w permissions to disk - detail in thread
Copy code
{"log.level":"info","@timestamp":"2023-07-20T22:11:42.790Z","log.logger":"cerbos.server","message":"maxprocs: No GOMAXPROCS change to reset"}
Thu, Jul 20 2023 5:11:42 pm
{"log.level":"error","@timestamp":"2023-07-20T22:11:42.790Z","log.logger":"cerbos.git.store","message":"Failed to initialize git store","dir":"/.cache/cerbos/git","error":"failed to create directory /.cache/cerbos/git: mkdir /.cache/cerbos: permission denied"}
Thu, Jul 20 2023 5:11:42 pm
{"log.level":"error","@timestamp":"2023-07-20T22:11:42.790Z","log.logger":"cerbos.server","message":"Failed to start server","error":"failed to create store: failed to create directory /.cache/cerbos/git: mkdir /.cache/cerbos: permission denied"}
Thu, Jul 20 2023 5:11:42 pm
cerbos: error: server.Cmd.Run(): failed to create store: failed to create directory /.cache/cerbos/git: mkdir /.cache/cerbos: permission denied
I had to add the following to the helm chart conifig to get past the whole root/nonroot issue
Copy code
podSecurityContext:
  fsGroup: 2000

securityContext:
  runAsNonRoot: true
  runAsUser: 1000
don’t see this addressed in history (https://community.cerbos.dev)
so while I can set the pod or container security context to not run as a root user, what directory cerbos chooses to r/w as part of its workflow cannot be altered with values.yaml
c

Charith (Cerbos)

07/21/2023, 7:16 AM
The local directory for the git store is configured using the
checkoutDir
config value: https://docs.cerbos.dev/cerbos/latest/configuration/storage.html#git-driver. If you don't specify that, Cerbos tries to write to
XDG_CACHE_DIR
by default. Here's an example of how to configure the
checkoutDir
in Helm: https://github.com/cerbos/cerbos/blob/main/deploy/charts/cerbos/values-git-storage.yaml.
d

Dmitry Meyerson

07/21/2023, 1:58 PM
ic! ok will try this thank you!
the cerbos containers a little difficult to examine - if I set a security context securityContext: runAsNonRoot: true runAsUser: 1000 how can I find out if there is a home directory this user can RW to/from?
c

Charith (Cerbos)

07/21/2023, 4:13 PM
Cerbos is a scratch container so there's no OS and there aren't any directories in the image except
/etc/ssl/certs
. If you want to inspect it yourself, you can obtain a shell on the container using an ephemeral debug container: https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/#ephemeral-container
2 Views