From 767a073a0a9713080b12a8a3fd193f3fc1bb96b6 Mon Sep 17 00:00:00 2001 From: Markus Pesch Date: Thu, 1 Jul 2021 23:02:56 +0800 Subject: [PATCH] SSH not working due missing security capability in CRI-O environment (#176) This patch add the SYS_CHROOT capability if the securityContext is undefined. Otherwise the SSH Server does not work correctly as described in the issue #161. Fixes: #161 Co-authored-by: Markus Pesch Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/176 Reviewed-by: techknowlogick Reviewed-by: justusbunsi Reviewed-by: luhahn Co-authored-by: Markus Pesch Co-committed-by: Markus Pesch --- README.md | 20 +++++++++++++++++++- values.yaml | 25 ++++++++++++++++--------- 2 files changed, 35 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 8b995f1..3682381 100644 --- a/README.md +++ b/README.md @@ -153,7 +153,7 @@ By default port 3000 is used for web traffic and 22 for ssh. Those can be change ```yaml service: - http: + http: port: 3000 ssh: port: 22 @@ -189,6 +189,24 @@ service: metallb.universe.tf/allow-shared-ip: test ``` +### SSH on crio based kubernetes cluster + +If you use crio as container runtime it is not possible to read from a remote +repository. You should get an error message like this: + +```bash +$ git clone git@k8s-demo.internal:admin/test.git +Cloning into 'test'... +Connection reset by 192.168.179.217 port 22 +fatal: Could not read from remote repository. + +Please make sure you have the correct access rights +and the repository exists. +``` + +To solve this problem add the capability `SYS_CHROOT` to the `securityContext`. +More about this issue [here](https://gitea.com/gitea/helm-chart/issues/161). + ### Cache This helm chart can use a built in cache. The default is memcached from bitnami. diff --git a/values.yaml b/values.yaml index 3e96f79..5851337 100644 --- a/values.yaml +++ b/values.yaml @@ -16,15 +16,22 @@ imagePullSecrets: [] # only usable with rootless image due to image design securityContext: {} -# allowPrivilegeEscalation: false -# capabilities: -# drop: -# - ALL -# privileged: false -# readOnlyRootFilesystem: true -# runAsGroup: 1000 -# runAsNonRoot: true -# runAsUser: 1000 +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# # Add the SYS_CHROOT capability for root and rootless images if you intend to +# # run pods on nodes that use the container runtime cri-o. Otherwise, you will +# # get an error message from the SSH server that it is not possible to read from +# # the repository. +# # https://gitea.com/gitea/helm-chart/issues/161 +# add: +# - SYS_CHROOT +# privileged: false +# readOnlyRootFilesystem: true +# runAsGroup: 1000 +# runAsNonRoot: true +# runAsUser: 1000 service: http: