Dustin C. Hatch
30f480fbcc
Now that we have _democratic-csi_ for storage management, the old manual iSCSI volumes are being replaced with dynamically provisioned volumes. ThiThe new _buildroot-airplaypi_ volume is completely blank, so _root_ owns everything. The old volume had the correct ownership because it was originally mounted in a pod that had the default `securityContext`, before we changed the merge strategy. We now need to explicitly set the UIDs and GIDs, since we're not inheriting the default `securityContext` anymore.
40 lines
962 B
YAML
40 lines
962 B
YAML
metadata:
|
|
annotations:
|
|
io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel: 'true'
|
|
spec:
|
|
affinity:
|
|
nodeAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- weight: 100
|
|
preference:
|
|
matchExpressions:
|
|
- key: node-role.kubernetes.io/jenkins
|
|
operator: Exists
|
|
containers:
|
|
- name: build
|
|
image: git.pyrocufflink.net/containerimages/buildroot
|
|
resources:
|
|
limits: &resources
|
|
cpu: 6
|
|
memory: 12Gi
|
|
requests: *resources
|
|
volumeMounts:
|
|
- mountPath: /etc/ssh/ssh_known_hosts
|
|
name: ssh-known-hosts
|
|
subPath: ssh_known_hosts
|
|
nodeSelector:
|
|
kubernetes.io/arch: amd64
|
|
securityContext:
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
seLinuxOptions:
|
|
level: s0:c596,c675
|
|
tolerations:
|
|
- key: du5t1n.me/jenkins
|
|
volumes:
|
|
- name: ssh-known-hosts
|
|
configMap:
|
|
name: ssh-known-hosts
|