Run SingleStore with Volume Mounts and Restricted Pod Security

To run SingleStore within a restricted security context, the aggregatorSpec, leafSpec, and backupSpec all support a securityContext field for overriding the pod security context to meet Kubernetes requirements. Additionally, the nodeVolumes field allows for mounting arbitrary volumes which, in this example, is required to allow writing to the /tmp directory.

YAML

aggregatorSpec:
  nodeVolumes:
    volumeMounts:
    - mountPath: /tmp
      name: tmp
    volumes:
    - emptyDir: {}
      name: tmp
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - ALL
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    runAsUser: 999
    seccompProfile:
      type: RuntimeDefault

YAML

backupSpec:
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - ALL
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    runAsUser: 999
    seccompProfile:
      type: RuntimeDefault

Add the following to the container in the Operator deployment to allow it to meet the restricted security requirements.

YAML

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 10001

Refer to Enforce Pod Security Standards with Namespace Labels for more information.

Run SingleStore with Volume Mounts and Restricted Pod Security

Was this article helpful?

Was this article helpful?