From 82cea83a9307009e0cdf03f99f186ba9d1cb12f1 Mon Sep 17 00:00:00 2001 From: Andi Skrgat Date: Wed, 16 Jul 2025 11:29:07 +0200 Subject: [PATCH] SSC MG --- .../install-memgraph/kubernetes.mdx | 59 ++++++++++++++++++- 1 file changed, 57 insertions(+), 2 deletions(-) diff --git a/pages/getting-started/install-memgraph/kubernetes.mdx b/pages/getting-started/install-memgraph/kubernetes.mdx index 815171f1..af0bcc0b 100644 --- a/pages/getting-started/install-memgraph/kubernetes.mdx +++ b/pages/getting-started/install-memgraph/kubernetes.mdx @@ -39,7 +39,7 @@ configured to deploy Memgraph as a Kubernetes `StatefulSet` workload. It will deploy a single Memgraph instance in a single pod. Typically, when deploying a stateful application like Memgraph, a `StatefulSet` -workload is used to ensure that each pod has a unique identity and stable +workload is used to ensure that each pod has a uoc adm policy add-scc-to-user memgraph-scc -z memgraph -n memgraphoc adm policy add-scc-to-user memgraph-scc -z memgraph -n memgraphnique identity and stable network identity. When deploying Memgraph, it is also necessary to define a `PersistentVolumeClaims` to store [the data directory](/configuration/data-durability-and-backup) (`/var/lib/memgraph`). @@ -714,6 +714,62 @@ The `args` section contains a list of arguments for the instance. For all available database settings, refer to the [configuration settings docs](/database-management/configuration). +## Root access + +Both standalone and HA charts currently require root access for init containers in order to change ownership of the directories which Memgraph will use for the durability. One possible approach for solving it for users which have +strict security policies is to create a custom `SecurityContextConstraint`. An example we used for deploying Memgraph HA chart to the RedHat: + +``` +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: memgraph +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: + - CHOWN +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: + - MKNOD +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +supplementalGroups: + type: RunAsAny +users: + - system:serviceaccount:*:memgraph +volumes: + - configMap + - downwardAPI + - emptyDir + - persistentVolumeClaim + - projected + - secret +``` + +Additionally, `values.yaml` file needed to be changed in the following way: +``` +memgraphUserGroupId: "$(id -u memgraph):$(id -g memgraph)" +``` + +If you create your service account before the security context constraint, you will have to bind them manually: + +``` +oc adm policy add-scc-to-user memgraph-scc -z memgraph -n memgraph +``` + + ## Memgraph Lab Helm chart A Helm chart for deploying Memgraph Lab on Kubernetes. @@ -789,4 +845,3 @@ Refer to the [Memgraph Lab documentation](/memgraph-lab/configuration) for detai -