Ingester fails on DigitalOcean Kubernetes due to permission issues #996
Comments
|
Thanks for reporting this. Would setting the Perhaps the operator could always set it. |
|
@pavolloffay thanks so much for the quick answer. I've just verified on a DigitalOcean cluster that by setting the following to the Pod spec in the securityContenxt:
fsGroup: 10001It would be great if the Operator would allow that configuration. Even better if it's by default. |
|
I'm facing the same issue on AKS with the clean deployment of a TempoStack. Is there a workaround that works currently or is the only option a downgrade? |
|
You can switch is to The unmanaged mode allows you to directly modify k8s objects managed by the operator. |
|
facing the same issue. I solved it for now by using operator version 0.10.0. |
Tempo 2.5.0 (supported in Tempo Operator 0.11.0+) switched user from
roottotempo(10001:10001) and ownership of/var/tempo. In some Kubernetes distributions such as DigitalOcean, persistent volumes are always created with a filesystem owned byroot:root, which means the Ingester Pod will fail with the following error.Unfortunately, DigitalOcean Kubernetes doesn't support the
mountOptionssettings to change the file permissions in the mounted volume, so Tempo Operator cannot be used in that environment as-is.If I understand correctly, Tempo Operator 0.11.0 introduced a Job that runs when upgrading the Operator from previous versions to change the permissions on the volume (see https://github.com/grafana/tempo-operator/releases/tag/v0.11.0). Would it be an idea to allow running that same Job even on new installations, in environments like DigitalOcean Kubernetes? (perhaps, behind a configuration flag)
If that's not possible, I see two other options to make Tempo Operator support DigitalOcean Kubernetes:
1000:1000instead of10001:10001, though not really a production-ready solution. This is what the tempo-distributed Helm chart does.The text was updated successfully, but these errors were encountered: