Skip to content

Add Security Context Constraint #1339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add Security Context Constraint #1339

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 57 additions & 2 deletions pages/getting-started/install-memgraph/kubernetes.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ configured to deploy Memgraph as a Kubernetes `StatefulSet` workload.
It will deploy a single Memgraph instance in a single pod.

Typically, when deploying a stateful application like Memgraph, a `StatefulSet`
workload is used to ensure that each pod has a unique identity and stable
workload is used to ensure that each pod has a uoc adm policy add-scc-to-user memgraph-scc -z memgraph -n memgraphoc adm policy add-scc-to-user memgraph-scc -z memgraph -n memgraphnique identity and stable
network identity. When deploying Memgraph, it is also necessary to define a
`PersistentVolumeClaims` to store [the data
directory](/configuration/data-durability-and-backup) (`/var/lib/memgraph`).
Expand Down Expand Up @@ -714,6 +714,62 @@ The `args` section contains a list of arguments for the instance.
For all available database settings, refer to the [configuration settings
docs](/database-management/configuration).

## Root access

Both standalone and HA charts currently require root access for init containers in order to change ownership of the directories which Memgraph will use for the durability. One possible approach for solving it for users which have
strict security policies is to create a custom `SecurityContextConstraint`. An example we used for deploying Memgraph HA chart to the RedHat:

```
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: memgraph
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- CHOWN
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:*:memgraph
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
```

Additionally, `values.yaml` file needed to be changed in the following way:
```
memgraphUserGroupId: "$(id -u memgraph):$(id -g memgraph)"
```

If you create your service account before the security context constraint, you will have to bind them manually:

```
oc adm policy add-scc-to-user memgraph-scc -z memgraph -n memgraph
```


## Memgraph Lab Helm chart

A Helm chart for deploying Memgraph Lab on Kubernetes.
Expand Down Expand Up @@ -789,4 +845,3 @@ Refer to the [Memgraph Lab documentation](/memgraph-lab/configuration) for detai