diff --git a/README.md b/README.md index 8b995f1..3682381 100644 --- a/README.md +++ b/README.md @@ -153,7 +153,7 @@ By default port 3000 is used for web traffic and 22 for ssh. Those can be change ```yaml service: - http: + http: port: 3000 ssh: port: 22 @@ -189,6 +189,24 @@ service: metallb.universe.tf/allow-shared-ip: test ``` +### SSH on crio based kubernetes cluster + +If you use crio as container runtime it is not possible to read from a remote +repository. You should get an error message like this: + +```bash +$ git clone git@k8s-demo.internal:admin/test.git +Cloning into 'test'... +Connection reset by 192.168.179.217 port 22 +fatal: Could not read from remote repository. + +Please make sure you have the correct access rights +and the repository exists. +``` + +To solve this problem add the capability `SYS_CHROOT` to the `securityContext`. +More about this issue [here](https://gitea.com/gitea/helm-chart/issues/161). + ### Cache This helm chart can use a built in cache. The default is memcached from bitnami. diff --git a/values.yaml b/values.yaml index 3e96f79..5851337 100644 --- a/values.yaml +++ b/values.yaml @@ -16,15 +16,22 @@ imagePullSecrets: [] # only usable with rootless image due to image design securityContext: {} -# allowPrivilegeEscalation: false -# capabilities: -# drop: -# - ALL -# privileged: false -# readOnlyRootFilesystem: true -# runAsGroup: 1000 -# runAsNonRoot: true -# runAsUser: 1000 +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# # Add the SYS_CHROOT capability for root and rootless images if you intend to +# # run pods on nodes that use the container runtime cri-o. Otherwise, you will +# # get an error message from the SSH server that it is not possible to read from +# # the repository. +# # https://gitea.com/gitea/helm-chart/issues/161 +# add: +# - SYS_CHROOT +# privileged: false +# readOnlyRootFilesystem: true +# runAsGroup: 1000 +# runAsNonRoot: true +# runAsUser: 1000 service: http: