Updating PVC file permissions for upgrading a Kuberetes deployment from root to non-root user images
readWriteMany
PVC.Before you begin
- Learn about the benefits, limitations, considerations, and requirements for running your Docker images as a non-root user before upgrading to HCL Commerce 9.1.14.0 or greater. For more information, see HCL Commerce container users and privileges. Once you are confident that you have addressed each consideration, you can continue with upgrading your Assets Tool PVC for use with the non-root user images.
- Ensure that the runAsNonRoot.enabled parameter is set to true in the HCL Commerce Helm Chart values.yaml configuration file. This is the default value.
About this task
In Kubernetes deployments, a PVC is used to persist files that are used by the Assets Tool in Management Center for HCL Commerce. The upgrade to a non-root user container presents a potential issue depending on the type of PVC that was initially provisioned:
- A
readWriteOnce
access mode storage presents no issues during this upgrade.Typically PVC storage is provisioned by the cloud storage class as a
readWriteOnce
access mode PVC, and is mounted with the root user as the owner. ThefsGroup
is set to1000
in the HCL Commerce Helm Chart, ensuring that the non-root user will still retain full read and write access to any and all preexisting files and directories in the mounted volume. - A
readWriteMany
access mode storage presents a permissions update requirement during this upgrade.A
readWriteMany
type of PVC, which can be provisioned by a different provider, such as NFS Provisioner, presents an obstacle with user permissions during this upgrade. In this case, thefsGroup
specified in the HCL Commerce Helm Chart will not have any influence on existing files in the volume. Thus, the file permissions within your PVC must be changed to remain accessible by the non-root user.
The first time that you re-deploy your HCL Commerce application images to use the non-root user, you must modify your Kubernetes deployment to update the ownership of the files and directories that are stored in your Assets Tool PVC. This must only be done once.
Procedure
-
Update your values.yaml Helm Chart configuration file and set the
runAsNonRoot.migrateAssetsPvcFromRootToNonroot parameter to
true.
Save the file. This option will trigger a pre-upgrade job on deployment to update the ownership of the files within your Assets Tool PVC.
-
Run the deployment update.
For more information, see Updating a deployment within the Deploying HCL Commerce on a Kubernetes cluster documentation.The redeployment will update your Assets Tool PVC file permissions to remain fully accessible by the non-root user.
-
Disable the runAsNonRoot.migrateAssetsPvcFromRootToNonroot parameter
by setting it back to false and saving your Helm Chart configuration for any
future deployments.
This process is only required to be run once.
- Optional:
Manually run the PVC permission migration job.
If your PVC is in use during the permission migration, some files can be created by the root user pod during the helm upgrade process. If you are not confident about the full permission migration, you can re-run the job manually at any time.
The sample job file nonroot-ownership-update.yaml can be found in the upgrade folder under stable/hcl-commerce/. Ensure that you update the file accordingly with the correct namespace, name, and persistent volume claim name fields before starting it with
kubectl apply -f nonroot-ownership-update.yaml
.