Hi On Mon, Jul 19, 2021 at 8:53 PM Albert Serrallé < albert.serra...@adevinta.com> wrote:
> Hello all, > > I'm trying to run pgadmin in a Kubernetes cluster with enforced Pod > Security Policies. Long story short, in the cluster, *none* of the Linux > capabilities are allowed. > > The Dockerfile enables this for the python exec: > > setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/python3.8 && \ >> > > So the entrypoint.sh fails at startup time, as soon as it invokes the > python executable: > > /entrypoint.sh: line 70: /venv/bin/python3: Operation not permitted > > > I removed this requirement creating a new Docker image with the following > definition: > > FROM dpage/pgadmin4:5.5 >> USER root >> RUN setcap -r /usr/bin/python3.8 >> USER pgadmin >> > > And then it boots without problem (using the 5050 port). > > Do you think it makes sense to modify the main Dockerfile to avoid this > problem? > If we do that, then we break the container for anyone who is using a privileged port for the server (e.g. everyone using default settings). I don't see how we could introduce such a change without causing problems for such users. > Is there any other workaround that doesn't require creating a new image? > Not that I can think of, I'm afraid. -- Dave Page Blog: https://pgsnake.blogspot.com Twitter: @pgsnake EDB: https://www.enterprisedb.com
