Run SingleStore with Volume Mounts and Restricted Pod Security
Warning
SingleStore 9.0 gives you the opportunity to preview, evaluate, and provide feedback on new and upcoming features prior to their general availability. In the interim, SingleStore 8.9 is recommended for production workloads, which can later be upgraded to SingleStore 9.0.
To run SingleStore within a restricted security context, the aggregatorSpec
, leafSpec
, and backupSpec
all support a securityContext
field for overriding the pod security context to meet Kubernetes requirements.nodeVolumes
field allows for mounting arbitrary volumes which, in this example, is required to allow writing to the /tmp
directory.
aggregatorSpec:nodeVolumes:volumeMounts:- mountPath: /tmpname: tmpvolumes:- emptyDir: {}name: tmpsecurityContext:allowPrivilegeEscalation: falsecapabilities:drop:- ALLreadOnlyRootFilesystem: truerunAsNonRoot: truerunAsUser: 999seccompProfile:type: RuntimeDefault
backupSpec:securityContext:allowPrivilegeEscalation: falsecapabilities:drop:- ALLreadOnlyRootFilesystem: truerunAsNonRoot: truerunAsUser: 999seccompProfile:type: RuntimeDefault
Add the following to the container in the Operator deployment to allow it to meet the restricted security requirements.
securityContext:allowPrivilegeEscalation: falsecapabilities:drop:- ALLreadOnlyRootFilesystem: truerunAsNonRoot: truerunAsUser: 10001
Refer to Enforce Pod Security Standards with Namespace Labels for more information.
Last modified: August 2, 2024