Helm delpoyment after runasuser changes

Hi All:

I provisioned a AWS EKS 2 node cluster:
Client Version: version.Info{Major:“1”, Minor:“20”, GitVersion:“v1.20.0”, GitCommit:“af46c47ce925f4c4ad5cc8d1fca46c7b77d13b38”, GitTreeState:“clean”, BuildDate:“2020-12-08T17:59:43Z”, GoVersion:“go1.15.5”, Compiler:“gc”, Platform:“linux/amd64”}
Server Version: version.Info{Major:“1”, Minor:“20+”, GitVersion:“v1.20.7-eks-d88609”, GitCommit:“d886092805d5cc3a47ed5cf0c43de38ce442dfcb”, GitTreeState:“clean”, BuildDate:“2021-07-31T00:29:12Z”, GoVersion:“go1.15.12”, Compiler:“gc”, Platform:“linux/amd64”}

I deployed the minimalist setup via:

helm install
–set server.replicaCount=1
–set cassandra.config.cluster_size=1
–set prometheus.enabled=false
–set grafana.enabled=false
–set elasticsearch.enabled=false
temporaltest . --timeout 15m

NAME READY STATUS RESTARTS AGE
temporaltest-admintools-85d689ff45-smmpm 1/1 Running 0 12m
temporaltest-cassandra-0 1/1 Running 0 12m
temporaltest-frontend-5c9d676b48-9sxt2 0/1 CrashLoopBackOff 7 12m
temporaltest-history-6f8ddf4bd7-8pxl2 0/1 CrashLoopBackOff 7 12m
temporaltest-matching-5bb56c748b-55h9j 0/1 CrashLoopBackOff 7 12m
temporaltest-web-67fc79c59b-cjc5z 1/1 Running 0 12m
temporaltest-worker-5f7f68bb76-tbm2q 0/1 CrashLoopBackOff 7 12m

logs show same error:

2021/09/10 21:36:56 unable to create open ./config/docker.yaml: permission denied

pod describe shows:

frodo@weathertop:~/src/helm-charts$ kubectl describe pod temporaltest-worker-5f7f68bb76-

Events:
Type Reason Age From Message

Normal Scheduled 14m default-scheduler Successfully assigned default/temporaltest-worker-5f7f68bb76-tbm2q to ip-192-168-69-225.us-west-2.compute.internal
Normal Pulling 14m kubelet Pulling image “busybox”
Normal Pulled 14m kubelet Successfully pulled image “busybox” in 1.220684472s
Normal Created 14m kubelet Created container check-cassandra-service
Normal Started 14m kubelet Started container check-cassandra-service
Normal Pulled 14m kubelet Container image “cassandra:3.11.3” already present on machine
Normal Created 14m kubelet Created container check-cassandra
Normal Started 14m kubelet Started container check-cassandra
Normal Pulled 13m kubelet Container image “cassandra:3.11.3” already present on machine
Normal Created 13m kubelet Created container check-cassandra-temporal-schema
Normal Started 13m kubelet Started container check-cassandra-temporal-schema
Normal Pulled 13m kubelet Container image “cassandra:3.11.3” already present on machine
Normal Created 13m kubelet Created container check-cassandra-visibility-schema
Normal Started 13m kubelet Started container check-cassandra-visibility-schema
Normal Pulling 13m kubelet Pulling image “temporalio/server:1.12.0”
Normal Pulled 13m kubelet Successfully pulled image “temporalio/server:1.12.0” in 4.806005725s
Normal Created 13m (x3 over 13m) kubelet Created container temporal-worker
Normal Started 13m (x3 over 13m) kubelet Started container temporal-worker
Normal Pulled 13m (x2 over 13m) kubelet Container image “temporalio/server:1.12.0” already present on machine
Warning BackOff 3m58s (x47 over 13m) kubelet Back-off restarting failed container

Any pointers on this?

Thanks in advance,
farfel

For now, I deleted the runasUser and fsgroup from the helm chart to get this started. I guess this has to do with the default pod security policy in EKS, although it’s wide open, so not sure why this would be an issue.

kubectl get psp eks.privileged

Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES
eks.privileged true * RunAsAny RunAsAny RunAsAny RunAsAny false *

Apparently pod security policy is getting reworked:

This is more an EKS thing, but if someone knows why it would not work with the default privileges please let me know.

thanks