hey folks. I am running cerbos as a sidecar for a ...
# helps
Steve High (NTWRK)
01/06/2023, 9:41 PMhey folks. I am running cerbos as a sidecar for a couple service. I already deployed this into a cluster a long time ago and verified all was working. However, I just deployed to a new cluster and am getting this error:
Copy code
request failed: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial unix /sock/cerbos.sock: connect: permission denied"Steve High (NTWRK)
01/06/2023, 10:21 PMi can provide all the helm stuff if needed
c
Charith (Cerbos)
01/07/2023, 8:18 AM
Are you running the application as an unprivileged user? Maybe they don't have read access to the socket file?
We can try to reproduce it if you send the chart, your k8s version and the client connection snippet.
Charith (Cerbos)
01/07/2023, 8:23 AM
The default permission on the socket file is
0o766udsFileModes
Steve High (NTWRK)
01/09/2023, 4:01 PMOK the permissions might be the issue. I'll report back with results
Steve High (NTWRK)
01/09/2023, 4:43 PMOK so it looks like my permissions were already set that way (
0o766c
Charith (Cerbos)
01/09/2023, 4:50 PM
Maybe the permissions on the parent directory (
/socks
Steve High (NTWRK)
01/09/2023, 4:58 PMah great point. I will make sure that's taken into consideration
Steve High (NTWRK)
01/09/2023, 9:04 PM@Charith (Cerbos) you don't happen to know how to do that inside a Dockerfile, do you? I am trying to chown the socket file to the user that's running in the container, but that doesnt seem to work. Do you have any service configuration (dockerfile I guess) that does this properly? (by this, i mean connect to a sidecar.
c
Charith (Cerbos)
01/10/2023, 6:39 AM
We have a Docker Compose demo that uses a socket on a tmpfs volume but it doesn't do any permission juggling. I can think of two things you could try:
• Try changing the securityContext.fsGroup for the pod
• Use an in-memory
emptyDir5 Views