[jira] [Work logged] (KNOX-3257) Update knox image creatation so that we do not need escalated privileges in helm install

Fri, 20 Feb 2026 06:18:10 -0800 


     [ 
https://issues.apache.org/jira/browse/KNOX-3257?focusedWorklogId=1006380&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1006380
 ]

ASF GitHub Bot logged work on KNOX-3257:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 20/Feb/26 14:17
            Start Date: 20/Feb/26 14:17
    Worklog Time Spent: 10m 
      Work Description: smolnar82 commented on PR #1151:
URL: https://github.com/apache/knox/pull/1151#issuecomment-3935111993

   The use of a fixed GID and group-based access makes sense for 
Helm/Kubernetes compatibility.
   
   However, granting `g+rwx` on all directories under `home/knox` may be 
broader than necessary.
   
   Since the JIRA mentions keystore updates specifically, would it be safer to 
restrict write permissions to the directories that actually need mutation 
(e.g., `data/security/keystores`, possibly `conf`)?
   
   This would better follow the principle of least privilege while preserving 
the intended functionality.




Issue Time Tracking
-------------------

    Worklog Id:     (was: 1006380)
    Time Spent: 0.5h  (was: 20m)

> Update knox image creatation so that we do not need escalated privileges in 
> helm install  
> ------------------------------------------------------------------------------------------
>
>                 Key: KNOX-3257
>                 URL: https://issues.apache.org/jira/browse/KNOX-3257
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: docker
>            Reporter: Sandeep More
>            Assignee: Sandeep More
>            Priority: Major
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Currently knox docker images are created such that only knox user has access 
> to it's fil;es and directories. There are times when helm operations want to 
> update the keystore, to add certs specifically, such operations need root 
> privileges in helm (or use the exact knox UID which cannot be determined by 
> helm container init). The proposed solution is to create a group "knox" with 
> a specific GID and have all the knox specific dirs owned by this group. 
> Then in helm we use that GID to perform operations.  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to