luarx commented on issue #805:
URL:
https://github.com/apache/apisix-helm-chart/issues/805#issuecomment-4729318968
Confirmed workaround from @JulianSobott works. For those using UID 636 (the
actual apisix system user in the official apache/apisix image), the same
approach applies with runAsUser: 636 instead of 1000.
The writable paths that need emptyDir mounts are:
- /usr/local/apisix/conf — APISIX rewrites nginx.conf and
config_listen.sock at every startup
- /usr/local/apisix/logs — worker event sockets
- /tmp, /usr/local/apisix/client_body_temp, proxy_temp, fastcgi_temp,
uwsgi_temp, scgi_temp — nginx temp dirs
The initContainer copying /usr/local/apisix/conf/* into the writable
emptyDir is required — without it APISIX starts with an empty conf dir and
fails.
**This should be supported by default**.
Running with readOnlyRootFilesystem: true is a baseline security expectation
for production workloads, and requiring users to manually wire up 8 emptyDir
volumes plus an initContainer is a significant barrier. The Bitnami
bitnami/apisix chart already ships this configuration out of the box —
readOnlyRootFilesystem: true is their default, with all necessary volumes and
initContainer pre-configured. The official chart should do the same.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]