lhotari opened a new pull request, #22081:
URL: https://github.com/apache/pulsar/pull/22081
### Motivation
Currently Pulsar's docker image must be run with gid=0. There are
environments where the group id 0 is prohibited by default. One example is
Tanzu Kubernetes Grid <=1.24 where a default Pod Security Policy called
`vmware-system-restricted` is used. That PSP contains this type of rule:
```yaml
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
runAsUser:
rule: MustRunAsNonRoot
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
```
In this case, it's not possible to use Pulsar's docker image since Pulsar
needs write access to a few directories.
### Modifications
change the owner of the writable directories to user id 10000.
This will allow Tanzu to work with this type of securityContext for each
Pulsar component (Broker, Zookeeper, Bookkeeper)
```
securityContext:
runAsNonRoot: true
runAsGroup: 10001
fsGroup: 10001
runAsUser: 10000
```
### Documentation
<!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. -->
- [ ] `doc` <!-- Your PR contains doc changes. -->
- [ ] `doc-required` <!-- Your PR changes impact docs and you will update
later -->
- [x] `doc-not-needed` <!-- Your PR changes do not impact docs -->
- [ ] `doc-complete` <!-- Docs have been already added -->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
