SSH not working due missing security capability in CRI-O environment (#176)

This patch add the SYS_CHROOT capability if the securityContext is undefined. Otherwise the SSH Server does not work correctly as described in the issue #161. Fixes: #161 Co-authored-by: Markus Pesch <markus.pesch@cryptic.systems> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/176 Reviewed-by: techknowlogick <techknowlogick@gitea.io> Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io> Reviewed-by: luhahn <luhahn@noreply.gitea.io> Co-authored-by: Markus Pesch <volker.raschek@noreply.gitea.io> Co-committed-by: Markus Pesch <volker.raschek@noreply.gitea.io>
2021-07-01 23:02:56 +08:00
parent b7dbb22025
commit 767a073a0a
2 changed files with 35 additions and 10 deletions
--- a/values.yaml
+++ b/values.yaml
@ -16,15 +16,22 @@ imagePullSecrets: []

 # only usable with rootless image due to image design
 securityContext: {}
-#  allowPrivilegeEscalation: false
-#  capabilities:
-#    drop:
-#      - ALL
-#  privileged: false
-#  readOnlyRootFilesystem: true
-#  runAsGroup: 1000
-#  runAsNonRoot: true
-#  runAsUser: 1000
+#   allowPrivilegeEscalation: false
+#   capabilities:
+#     drop:
+#       - ALL
+#   # Add the SYS_CHROOT capability for root and rootless images if you intend to
+#   # run pods on nodes that use the container runtime cri-o. Otherwise, you will
+#   # get an error message from the SSH server that it is not possible to read from
+#   # the repository.
+#   # https://gitea.com/gitea/helm-chart/issues/161
+#     add:
+#       - SYS_CHROOT
+#   privileged: false
+#   readOnlyRootFilesystem: true
+#   runAsGroup: 1000
+#   runAsNonRoot: true
+#   runAsUser: 1000

 service:
  http: