luarx commented on issue #805:
URL: 
https://github.com/apache/apisix-helm-chart/issues/805#issuecomment-4729318968

   Confirmed workaround from @JulianSobott works. For those using UID 636 (the 
actual apisix system user in the official apache/apisix image), the same 
approach applies with runAsUser: 636 instead of 1000.
   
     The writable paths that need emptyDir mounts are:
     - /usr/local/apisix/conf — APISIX rewrites nginx.conf and 
config_listen.sock at every startup
     - /usr/local/apisix/logs — worker event sockets
     - /tmp, /usr/local/apisix/client_body_temp, proxy_temp, fastcgi_temp, 
uwsgi_temp, scgi_temp — nginx temp dirs
   
     The initContainer copying /usr/local/apisix/conf/* into the writable 
emptyDir is required — without it APISIX starts with an empty conf dir and 
fails.
   
   **This should be supported by default**. 
   Running with readOnlyRootFilesystem: true is a baseline security expectation 
for production workloads, and requiring users to manually wire up 8 emptyDir 
volumes plus an initContainer is a significant barrier. The Bitnami 
bitnami/apisix chart already ships this configuration out of the box — 
readOnlyRootFilesystem: true is their default, with all necessary volumes and 
initContainer pre-configured. The official chart should do the same.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to