SSH not working due missing security capability in CRI-O environment (#176)

This patch add the SYS_CHROOT capability if the securityContext is
undefined. Otherwise the SSH Server does not work correctly as described
in the issue #161.

Fixes: #161

Co-authored-by: Markus Pesch <markus.pesch@cryptic.systems>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/176
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Co-authored-by: Markus Pesch <volker.raschek@noreply.gitea.io>
Co-committed-by: Markus Pesch <volker.raschek@noreply.gitea.io>
This commit is contained in:
Markus Pesch 2021-07-01 23:02:56 +08:00 committed by luhahn
parent b7dbb22025
commit 767a073a0a
2 changed files with 35 additions and 10 deletions

View File

@ -153,7 +153,7 @@ By default port 3000 is used for web traffic and 22 for ssh. Those can be change
```yaml ```yaml
service: service:
http: http:
port: 3000 port: 3000
ssh: ssh:
port: 22 port: 22
@ -189,6 +189,24 @@ service:
metallb.universe.tf/allow-shared-ip: test metallb.universe.tf/allow-shared-ip: test
``` ```
### SSH on crio based kubernetes cluster
If you use crio as container runtime it is not possible to read from a remote
repository. You should get an error message like this:
```bash
$ git clone git@k8s-demo.internal:admin/test.git
Cloning into 'test'...
Connection reset by 192.168.179.217 port 22
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
```
To solve this problem add the capability `SYS_CHROOT` to the `securityContext`.
More about this issue [here](https://gitea.com/gitea/helm-chart/issues/161).
### Cache ### Cache
This helm chart can use a built in cache. The default is memcached from bitnami. This helm chart can use a built in cache. The default is memcached from bitnami.

View File

@ -16,15 +16,22 @@ imagePullSecrets: []
# only usable with rootless image due to image design # only usable with rootless image due to image design
securityContext: {} securityContext: {}
# allowPrivilegeEscalation: false # allowPrivilegeEscalation: false
# capabilities: # capabilities:
# drop: # drop:
# - ALL # - ALL
# privileged: false # # Add the SYS_CHROOT capability for root and rootless images if you intend to
# readOnlyRootFilesystem: true # # run pods on nodes that use the container runtime cri-o. Otherwise, you will
# runAsGroup: 1000 # # get an error message from the SSH server that it is not possible to read from
# runAsNonRoot: true # # the repository.
# runAsUser: 1000 # # https://gitea.com/gitea/helm-chart/issues/161
# add:
# - SYS_CHROOT
# privileged: false
# readOnlyRootFilesystem: true
# runAsGroup: 1000
# runAsNonRoot: true
# runAsUser: 1000
service: service:
http: http: