Nj-kol opened a new issue, #52099: URL: https://github.com/apache/doris/issues/52099
### Search before asking - [x] I had searched in the [issues](https://github.com/apache/doris/issues?q=is%3Aissue) and found no similar issues. ### Version Apache Doris 3.0.5 ### What's Wrong? While running Doris 3 in Compute Storage Decoupled mode, the backend node is trying to run a priviledged container and hence it fails Giving the following issue: ```shell kubectl describe statefulset doris-disaggregated-cluster-cg1 -n doris Warning FailedCreate 26s (x14 over 62s) statefulset-controller create Pod doris-disaggregated-cluster-cg1-0 in StatefulSet doris-disaggregated-cluster-cg1 failed error: admission webhook "validation.gatekeeper.sh" denied the request: [psp-privileged-container] Privileged container is not allowed: default-init, securityContext: {"privileged": true} [psp-privileged-container] Privileged container is not allowed: init, securityContext: {"privileged": true} ``` I checked the file: https://github.com/apache/doris-operator/blob/master/doc/examples/disaggregated/cluster/ddc-system-init.yaml It seems there is no way to prevent the default-init container from running in a privileged mode or to disable it. Need help in this, as I am unable to run Doris on k8s because of this. ### What You Expected? Expected the Doris BE /Compute nodes to spin up ### How to Reproduce? My deployment spec: ```yaml apiVersion: disaggregated.cluster.doris.com/v1 kind: DorisDisaggregatedCluster metadata: name: doris-disaggregated-cluster spec: metaService: image: <private_repo>/doris:ms-3.0.5 imagePullSecrets: - name: hosted-nexus-credentials replicas: 1 requests: cpu: 1 memory: 250Mi limits: cpu: 1 memory: 250Mi fdb: configMapNamespaceName: name: fdb-cluster-config namespace: fdb feSpec: replicas: 1 image: <private_repo>/doris:fe-3.0.5 imagePullSecrets: - name: hosted-nexus-credentials logNotStore: true configMaps: - name: fe-configmap requests: cpu: 1 memory: 2Gi limits: cpu: 1 memory: 2Gi computeGroups: - uniqueId: cg1 configMaps: - name: be-configmap mountPath: "/etc/doris" logNotStore: true replicas: 1 image: <private_repo>/doris:be-3.0.5 imagePullSecrets: - name: hosted-nexus-credentials systemInitialization: initImage: <private_repo>/alpine:3.22.0 #command: [ "sh", "-c", "echo init container noop" ] securityContext: runAsNonRoot: true containerSecurityContext: privileged: false runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 allowPrivilegeEscalation: false readOnlyRootFilesystem: false requests: cpu: 1 memory: 1Gi limits: cpu: 1 memory: 1Gi ``` ### Anything Else? _No response_ ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
