cloudnative-pg
Using 10001 gives "operation not permitted" error when controller tries to reach api-server
I'm using k0s v1.31.2-k0s.0 with default settings. The controller crashes with the following logs:
{"level":"info","ts":"2025-01-20T19:29:56.696034172Z","logger":"setup","msg":"Starting CloudNativePG Operator","version":"1.25.0","build":{"Version":"1.25.0","Commit":"bad5a251","Date":"2024-12-23"}}
{"level":"info","ts":"2025-01-20T19:29:56.696108834Z","logger":"setup","msg":"Listening for changes on all namespaces"}
{"level":"info","ts":"2025-01-20T19:29:56.696407662Z","logger":"setup","msg":"Loading configuration from ConfigMap","namespace":"base","name":"cnpg-controller-manager-config"}
{"level":"error","ts":"2025-01-20T19:29:56.696563545Z","logger":"setup","msg":"unable to read ConfigMap","namespace":"base","name":"cnpg-controller-manager-config","error":"failed to get API group resources: unable to retrieve the complete list of server APIs: v1: Get \"https://10.96.0.1:443/api/v1\": dial tcp 10.96.0.1:443: socket: operation not permitted","stacktrace":"github.com/cloudnative-pg/machinery/pkg/log.(*logger).Error\n\tpkg/mod/github.com/cloudnative-pg/[email protected]/pkg/log/log.go:125\ngithub.com/cloudnative-pg/cloudnative-pg/internal/cmd/manager/controller.loadConfiguration\n\tinternal/cmd/manager/controller/controller.go:323\ngithub.com/cloudnative-pg/cloudnative-pg/internal/cmd/manager/controller.RunController\n\tinternal/cmd/manager/controller/controller.go:175\ngithub.com/cloudnative-pg/cloudnative-pg/internal/cmd/manager/controller.NewCmd.func1\n\tinternal/cmd/manager/controller/cmd.go:43\ngithub.com/spf13/cobra.(*Command).execute\n\tpkg/mod/github.com/spf13/[email protected]/command.go:985\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\tpkg/mod/github.com/spf13/[email protected]/command.go:1117\ngithub.com/spf13/cobra.(*Command).Execute\n\tpkg/mod/github.com/spf13/[email protected]/command.go:1041\nmain.main\n\tcmd/manager/main.go:68\nruntime.main\n\t/opt/hostedtoolcache/go/1.23.4/x64/src/runtime/proc.go:272"}
It can be fixed by setting containerSecurityContext.runAsUser and containerSecurityContext.runAsGroup to null and containerSecurityContext.runAsNonRoot to true. However, the issue is that, when the chart is used as dependency of another chart, values cannot be set to null due to a bug in Helm https://github.com/helm/helm/pull/12879 So, effectively, one is forced to fork the chart and re-publish with those two values removed.
I see that https://github.com/cloudnative-pg/charts/pull/73 moved these to values.yaml which helps but I'm wondering if there can be a way to disable these two fields. Not sure how it'd look, maybe setting to -1, maybe having a separate bool value. And you may not even want to fix since it's effectively Helm bug but wanted to raise so others getting the error can know what's going.
