Re: [I] Running Apisix with securityContext does not work [apisix-helm-chart]

Tue, 27 Jan 2026 04:00:34 -0800 


JulianSobott commented on issue #805:
URL: 
https://github.com/apache/apisix-helm-chart/issues/805#issuecomment-3804806513

   I got it working with these values. This is using go template. The rendered 
version of the volumes is below.
   
   ```gotemplate
   podSecurityContext:
     runAsNonRoot: true
     runAsUser: 1000
     fsGroup: 1000
     seccompProfile:
       type: RuntimeDefault
   
   securityContext:
     allowPrivilegeEscalation: false
     capabilities:
       drop:
         - ALL
     readOnlyRootFilesystem: true
   
   {{- $writableVolumes := dict
     "conf" "/usr/local/apisix/conf"
     "tmp" "/tmp"
     "body-tmp" "/usr/local/apisix/client_body_temp"
     "proxy-tmp" "/usr/local/apisix/proxy_temp"
     "fastcgi-tmp" "/usr/local/apisix/fastcgi_temp"
     "uwsgi-tmp" "/usr/local/apisix/uwsgi_temp"
     "scgi-tmp" "/usr/local/apisix/scgi_temp"
     "logs" "/usr/local/apisix/logs"
   }}
   
   extraVolumes:
   {{- range $name, $path := $writableVolumes }}
     - name: apisix-{{ $name }}-writable
       emptyDir: { }
   {{- end }}
   
   extraVolumeMounts:
   {{- range $name, $path := $writableVolumes }}
     - name: apisix-{{ $name }}-writable
       mountPath: {{ $path }}
   {{- end }}
   
   extraInitContainers:
     - name: copy-apisix-conf
       image: apache/apisix:3.14.1-ubuntu
       imagePullPolicy: IfNotPresent
       command: ["/bin/sh", "-c"]
       args:
         - cp -r /usr/local/apisix/conf/* /mnt/apisix-conf/ ;
       volumeMounts:
         - name: apisix-conf-writable
           mountPath: /mnt/apisix-conf
       securityContext:
         runAsNonRoot: true
         runAsUser: 1000
         capabilities:
           drop:
             - ALL
         readOnlyRootFilesystem: true
   ```
   
   And the rendered output would look like this for all paths.
   
   ```yaml
   extraVolumeMounts:
     - mountPath: /usr/local/apisix/client_body_temp
       name: apisix-body-tmp-writable
     - mountPath: /usr/local/apisix/conf
       name: apisix-conf-writable
     - mountPath: /usr/local/apisix/fastcgi_temp
       name: apisix-fastcgi-tmp-writable
     - mountPath: /usr/local/apisix/logs
       name: apisix-logs-writable
     - mountPath: /usr/local/apisix/proxy_temp
       name: apisix-proxy-tmp-writable
     - mountPath: /usr/local/apisix/scgi_temp
       name: apisix-scgi-tmp-writable
     - mountPath: /tmp
       name: apisix-tmp-writable
     - mountPath: /usr/local/apisix/uwsgi_temp
       name: apisix-uwsgi-tmp-writable
   extraVolumes:
     - emptyDir: {}
       name: apisix-body-tmp-writable
     - emptyDir: {}
       name: apisix-conf-writable
     - emptyDir: {}
       name: apisix-fastcgi-tmp-writable
     - emptyDir: {}
       name: apisix-logs-writable
     - emptyDir: {}
       name: apisix-proxy-tmp-writable
     - emptyDir: {}
       name: apisix-scgi-tmp-writable
     - emptyDir: {}
       name: apisix-tmp-writable
     - emptyDir: {}
       name: apisix-uwsgi-tmp-writable
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to