Sign inTry Free

Run SingleStore with Volume Mounts and Restricted Pod Security

Warning

SingleStore 9.0 gives you the opportunity to preview, evaluate, and provide feedback on new and upcoming features prior to their general availability. In the interim, SingleStore 8.9 is recommended for production workloads, which can later be upgraded to SingleStore 9.0.

To run SingleStore within a restricted security context, the aggregatorSpec, leafSpec, and backupSpec all support a securityContext field for overriding the pod security context to meet Kubernetes requirements. Additionally, the nodeVolumes field allows for mounting arbitrary volumes which, in this example, is required to allow writing to the /tmp directory.

aggregatorSpec:
  nodeVolumes:
    volumeMounts:
    - mountPath: /tmp
      name: tmp
    volumes:
    - emptyDir: {}
      name: tmp
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - ALL
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    runAsUser: 999
    seccompProfile:
      type: RuntimeDefault
backupSpec:
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - ALL
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    runAsUser: 999
    seccompProfile:
      type: RuntimeDefault

Add the following to the container in the Operator deployment to allow it to meet the restricted security requirements.

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 10001

Refer to Enforce Pod Security Standards with Namespace Labels for more information.

Last modified: August 2, 2024

Was this article helpful?

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK