SSH not working due missing security capability in CRI-O environment (#176)

This patch add the SYS_CHROOT capability if the securityContext is undefined. Otherwise the SSH Server does not work correctly as described in the issue #161. Fixes: #161 Co-authored-by: Markus Pesch <markus.pesch@cryptic.systems> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/176 Reviewed-by: techknowlogick <techknowlogick@gitea.io> Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io> Reviewed-by: luhahn <luhahn@noreply.gitea.io> Co-authored-by: Markus Pesch <volker.raschek@noreply.gitea.io> Co-committed-by: Markus Pesch <volker.raschek@noreply.gitea.io>
2021-07-01 23:02:56 +08:00 · 2021-07-01 23:02:56 +08:00 · 767a073a0a
commit 767a073a0a
parent b7dbb22025
2 changed files with 35 additions and 10 deletions
--- a/README.md
+++ b/README.md
@ -153,7 +153,7 @@ By default port 3000 is used for web traffic and 22 for ssh. Those can be change

 ```yaml
  service:
-    http: 
+    http:
      port: 3000
    ssh:
      port: 22
@ -189,6 +189,24 @@ service:
      metallb.universe.tf/allow-shared-ip: test
 ```

+### SSH on crio based kubernetes cluster
+
+If you use crio as container runtime it is not possible to read from a remote
+repository. You should get an error message like this:
+
+```bash
+$ git clone git@k8s-demo.internal:admin/test.git
+Cloning into 'test'...
+Connection reset by 192.168.179.217 port 22
+fatal: Could not read from remote repository.
+
+Please make sure you have the correct access rights
+and the repository exists.
+```
+
+To solve this problem add the capability `SYS_CHROOT` to the `securityContext`.
+More about this issue [here](https://gitea.com/gitea/helm-chart/issues/161).
+
 ### Cache

 This helm chart can use a built in cache. The default is memcached from bitnami.
--- a/values.yaml
+++ b/values.yaml
@ -16,15 +16,22 @@ imagePullSecrets: []

 # only usable with rootless image due to image design
 securityContext: {}
-#  allowPrivilegeEscalation: false
-#  capabilities:
-#    drop:
-#      - ALL
-#  privileged: false
-#  readOnlyRootFilesystem: true
-#  runAsGroup: 1000
-#  runAsNonRoot: true
-#  runAsUser: 1000
+#   allowPrivilegeEscalation: false
+#   capabilities:
+#     drop:
+#       - ALL
+#   # Add the SYS_CHROOT capability for root and rootless images if you intend to
+#   # run pods on nodes that use the container runtime cri-o. Otherwise, you will
+#   # get an error message from the SSH server that it is not possible to read from
+#   # the repository.
+#   # https://gitea.com/gitea/helm-chart/issues/161
+#     add:
+#       - SYS_CHROOT
+#   privileged: false
+#   readOnlyRootFilesystem: true
+#   runAsGroup: 1000
+#   runAsNonRoot: true
+#   runAsUser: 1000

 service:
  http: