docs: scheduler securityContext.fsGroup is opt-in (OpenShift)#5219
Draft
nelson-parente wants to merge 2 commits into
Draft
docs: scheduler securityContext.fsGroup is opt-in (OpenShift)#5219nelson-parente wants to merge 2 commits into
nelson-parente wants to merge 2 commits into
Conversation
Signed-off-by: nelson.parente <nelson_parente@live.com.pt>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds Kubernetes documentation clarifying that dapr_scheduler.securityContext.fsGroup became opt-in starting in Dapr 1.19, with platform-specific guidance (set it on “standard” Kubernetes when needed for PV write access; leave it unset on OpenShift to avoid SCC fsGroup conflicts).
Changes:
- Introduces a new Persistent Volume Write Access (fsGroup) subsection under Production Setup.
- Provides Dapr CLI and Helm examples for explicitly setting
dapr_scheduler.securityContext.fsGroup=65532when required. - Adds OpenShift-specific guidance to leave
fsGroupunset and includes a note about storage providers that already handle ownership.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| ### Persistent Volume Write Access (fsGroup) | ||
|
|
||
| The Scheduler process runs as a non-root user (UID/GID `65532`). For the mounted persistent volume to be writable by that process, the Kubernetes kubelet must chown the volume to the correct group, which it does when an `fsGroup` is set in the pod's `securityContext`. |
|
|
||
| The Scheduler process runs as a non-root user (UID/GID `65532`). For the mounted persistent volume to be writable by that process, the Kubernetes kubelet must chown the volume to the correct group, which it does when an `fsGroup` is set in the pod's `securityContext`. | ||
|
|
||
| As of Dapr 1.19, `dapr_scheduler.securityContext.fsGroup` is **opt-in** (no default value). Previously it was hardcoded to `65532`, which caused problems on OpenShift, where each project's Security Context Constraints (SCC) assigns its own `fsGroup` from an allowed range, making an explicit value invalid. |
…review) Signed-off-by: Nelson Parente <nelson_parente@live.com.pt>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Documents that
dapr_scheduler.securityContext.fsGroupis opt-in as of Dapr 1.19 (previously hardcoded to65532).dapr_scheduler.securityContext.fsGroup=65532if your storage provisioner does not grant write access automatically; the kubelet will chown the volume on mount.fsGroupunset — OpenShift assigns one automatically from the project's SCC range. An explicit value overrides that assignment and can prevent the pod from starting.The note is placed in a new Persistent Volume Write Access (fsGroup) subsection inside Production Setup, immediately before the existing Storage Class subsection, since both concern PV configuration.
Targets Dapr 1.19.
Code: dapr/dapr#10112
Relates to: dapr/dapr#8885