From fdfefbb9e888dac2e43ad6d1a779db5faa41b7bd Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Fri, 9 Jan 2026 11:22:20 +0200 Subject: Fix permissions using fsGroup and initContainer pattern Follow webdav/filebrowser pattern for proper permission handling: - Add fsGroup: 1000 at pod level for git repo access - Add initContainer to chown emptyDir volumes - Run git-server as root (required for sshd) - Run cgit as user 33 (www-data) - Restore cgit-cache emptyDir volume with proper ownership --- .../helm-chart/templates/deployment.yaml | 26 ++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml index 6f47c36..6c424a0 100644 --- a/f3s/git-server/helm-chart/templates/deployment.yaml +++ b/f3s/git-server/helm-chart/templates/deployment.yaml @@ -15,6 +15,26 @@ spec: labels: app: git-server spec: + securityContext: + fsGroup: 1000 + + initContainers: + - name: setup + image: alpine:3.19 + command: + - /bin/sh + - -c + - | + mkdir -p /cache-init + chown -R 33:1000 /cache-init + mkdir -p /ssh-init + chown -R 0:0 /ssh-init + volumeMounts: + - name: cgit-cache + mountPath: /cache-init + - name: ssh-host-keys + mountPath: /ssh-init + containers: # Container 1: SSH Git Server - name: git-server @@ -39,7 +59,6 @@ spec: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] - add: ["CHOWN", "DAC_OVERRIDE"] resources: requests: cpu: 50m @@ -71,12 +90,11 @@ spec: - name: cgit-cache mountPath: /var/cache/cgit securityContext: - runAsUser: 0 - runAsGroup: 0 + runAsUser: 33 + runAsGroup: 33 allowPrivilegeEscalation: false capabilities: drop: ["ALL"] - add: ["NET_BIND_SERVICE", "CHOWN", "DAC_OVERRIDE"] resources: requests: cpu: 50m -- cgit v1.2.3