Articles
      Back to home
      1. Help Center
      2. How To
      3. Articles

      How to make k10 grafana pod rootless

      This article explains how to disable init-container in k10-grafana to run it as rootless

      K10 installation provides an instance of Grafana that is deployed automatically and can be used to query metrics from K10's Prometheus instance. This grafana pod is run as the user `grafana` with the UID & GID set to 472. However, by default K10 uses an init-container which runs as root to prepare the filesystem for grafana. 

      Below are the default values for the Grafana in k10 helm chart:

      grafana:
          securityContext:
              runAsUser: 472
              runAsGroup: 472
              fsGroup: 472
          initChownData:
              enabled: true

      The only function of the init-container (init-chown-data) is to set up the filesystem in grafana PVC with proper permissions. With the usage of the `fsGroup` in grafana pods's securityContext or by manually changing the ownership(for shared filesystems like NFS), the usage of the init-contianer can be eliminated.

      This article provides instructions for two types of storageClasses with which the grafana PVC is provisioned.

      • Storages which supports fsGroup parameter.
      • Shared filesystem (eg. NFS)

      Storages which supports fsGroup parameter:

      By default k10-grafana runs with fsGroup=472. All the files created by Grafana will have GID=472 and Kubernetes(or CSI driver) will set the same GID for all the files in the storage. 
      This means that there is no need for any additional securityContext if the fsGroup is supported. Below helm values can be used to disable init-container(init-chown-data) in k10-grafana.

      grafana:
          securityContext:
              runAsUser: 472
              runAsGroup: 472
              fsGroup: 472
          initChownData:
              enabled: false

      Shared filesystem (eg. NFS)

      For shared filesystems,  "var/lib/grafana" directory has to be created manually on the shared filesystem and set the correct owner for it. 
      Below are the commands to create the directory structure and change the ownership of the directories to the user that k10-grafana container use.

      #create the directory structure
      mkdir -p var/lib/grafana

      #chown recursively 
      chown -R 472:472 var/lib/grafana

      The commands provided in the previous instructions assume that the current working directory is inside the K10 Grafana PVC or the directory referenced in the K10 Grafana PV(in case of NFS volumes)

      Below helm values can be used to disable init-container(init-chown-data) in k10-grafana.

      grafana:
          securityContext:
              runAsUser: 472
              runAsGroup: 472
          initChownData:
              enabled: false