Loading...

Create Doc EPIC for Fe...

Prepare for Y Release

Prepare for Z Release

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 1.5.0
Affects Version/s: None
Component/s: Operator
Labels:
- upstream

Epic Link:
Simplify Operator configuration per platform
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Feature Link:
RHIDP-2233 - RHDH Operator: Improve configuration for simplifying user experience (onboarding)
Intelligence Requested:
Market:

Sprint:
RHDH Install 3268

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

[2179491555] Upstream Reporter: Gennady Azarenkov
Upstream issue status: Open
Upstream description:

The issue shown up in the hosted Kubernetes environments, such as AKS and EKS.

On Creating Backstage CR on unchanged default configuration RHDH InitContainer failed with error like:

{{ #Error: EACCES: permission denied, open '/dynamic-plugins-root/backstage-plugin-scaffolder-backend-module-github-dynamic-0.2.2.tgz'}}

The reason why it is not failed on local environment is that chown/chmod/fix-permissions stuffs seems to work for mounted directories there, but does not work on AKS/EKS (which is quite expected IMO), so, we have permissions like:

drwxr-xr-x 1 root root 4096 Mar 1 18:56 dynamic-plugins- for "hosted" (fails, with permission error)

drwxrwxr-x 1 root root 4096 Mar 1 18:56 dynamic-plugins- for "local" (works) To work around this problem, fsGroup= can be used in the Pod's securityContext, it makes directory permissions like:

drwxrwsr-x 14 root 1001 4096 Mar 11 14:59 dynamic-plugins-root

which works, but, it MAY lead to make Pod's startup slower. As stated here: Kubernetes recursively changes ownership and permissions for the contents of each volume to match the fsGroup specified in a Pod's securityContext when that volume is mounted. For large volumes, checking and changing ownership and permissions can take a lot of time, slowing Pod startup.

So, it was decided to not to include it as a general solution and solve case-by-case, making proper documentation (for AKS/EKS etc), which is not ideal as well because it make the procedure more difficult while is not really "platform specific" strictly speaking (again, IMO it is quite expected).

PROPOSAL for Kubernets (hardly simply applicable for Openshift) which allow to solve this problem can be as simple as using root user in InitialContainer insead of default user = 1001 (see below). This way InitialContainer has full control on dynamic plugins preparation and Backstage Container can safely use it as it is (read permissions is enough) .
deployment.yaml
 spec:
  ...
  template:
  ...
    spec:
      ...
      initContainers:
        - name: install-dynamic-plugins
        ...
          securityContext:
            runAsUser: 0

Upstream URL: https://github.com/janus-idp/operator/issues/254

relates to

RHIDP-5587 Add Platform patch to default configuration

Closed

links to

janus-idp/operator#254: Permission issues on mounted Volumes for RHDH container

Assignee:: Gennady Azarenkov

Reporter:: Upstream Sync

Team:: RHIDP - Install

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2024/03/11 3:54 PM

Updated:: 2025/01/20 8:24 PM

Resolved:: 2025/01/20 8:24 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates