On Tue, Jul 20, 2021 at 1:43 PM Dave Page <dp...@pgadmin.org> wrote: > Hi > > On Mon, Jul 19, 2021 at 8:53 PM Albert Serrallé < > albert.serra...@adevinta.com> wrote: > >> Hello all, >> >> I'm trying to run pgadmin in a Kubernetes cluster with enforced Pod >> Security Policies. Long story short, in the cluster, *none* of the Linux >> capabilities are allowed. >> >> The Dockerfile enables this for the python exec: >> >> setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/python3.8 && \ >>> >> >> So the entrypoint.sh fails at startup time, as soon as it invokes the >> python executable: >> >> /entrypoint.sh: line 70: /venv/bin/python3: Operation not permitted >> >> >> I removed this requirement creating a new Docker image with the following >> definition: >> >> FROM dpage/pgadmin4:5.5 >>> USER root >>> RUN setcap -r /usr/bin/python3.8 >>> USER pgadmin >>> >> >> And then it boots without problem (using the 5050 port). >> >> Do you think it makes sense to modify the main Dockerfile to avoid this >> problem? >> > > If we do that, then we break the container for anyone who is using a > privileged port for the server (e.g. everyone using default settings). I > don't see how we could introduce such a change without causing problems for > such users. > Two separate containers can help.
-- Ashesh > > >> Is there any other workaround that doesn't require creating a new image? >> > > Not that I can think of, I'm afraid. > > -- > Dave Page > Blog: https://pgsnake.blogspot.com > Twitter: @pgsnake > > EDB: https://www.enterprisedb.com > >
