# Create an Aerospike cluster on Kubernetes with a non-root user To use AKO to deploy a non-root Aerospike cluster, create an Aerospike custom resource (CR) file that describes the cluster. The description should include its number of nodes, the Aerospike configuration, and system resources at a minimum. Then use `kubectl` to apply that configuration file to your Kubernetes cluster(s). ## Requirements ### Configure CRI container runtimes (containerd, CRI-O) For non-root containers to use devices, cluster administrators must opt in to the functionality by setting `device_ownership_from_security_context = true` on each worker node. The flag is available in CRI-O v1.22 release and containerd v1.6.6 and later. For more details, see [Non-root containers and devices](https://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/). Cluster runs containerd with: ```yaml [plugins] [plugins."io.containerd.grpc.v1.cri"] device_ownership_from_security_context = true ``` or CRI-O with: ```yaml [crio.runtime] device_ownership_from_security_context = true ``` Restart container runtime service: Terminal window ```shell sudo systemctl restart containerd or sudo systemctl restart crio ``` Verify `device_ownership_from_security_context = true` has been set successfully: Terminal window ```shell sudo crictl info ... "disableHugetlbController": true, "device_ownership_from_security_context": true, "ignoreImageDefinedVolumes": false, "netnsMountsUnderStateDir": false, ... ``` ### Install Aerospike Kubernetes Operator Before deploying your Aerospike cluster, install Aerospike Kubernetes Operator on your Kubernetes cluster(s) using either: - [OLM](https://aerospike.com/docs/kubernetes/install/olm) - [Helm](https://aerospike.com/docs/kubernetes/install/helm) ### Prepare the namespace, storage and secrets Before creating your Aerospike cluster CR, create the required namespace, storage and secrets using either: - [OLM](https://aerospike.com/docs/kubernetes/install/deploy/kubectl) - [Helm](https://aerospike.com/docs/kubernetes/install/deploy/helm) ## Create Aerospike Cluster Custom Resource (CR) See the [cluster configuration settings](https://aerospike.com/docs/kubernetes/reference/config-reference) for details on the Aerospike cluster custom resource (CR) file. You can find sample CR files for different configurations in [the main Aerospike Kubernetes Operator repository](https://github.com/aerospike/aerospike-kubernetes-operator/tree/v4.3.0/config/samples). Edit the CR file to add a `securityContext` section under `podSpec`. ```yaml ... podSpec: multiPodPerHost: true securityContext: runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001 ... ``` ## Deploy the Aerospike Cluster Use `kubectl apply` to apply the CR file you created and deploy the Aerospike cluster. Terminal window ```shell kubectl apply -f config/samples/ssd_storage_cluster_cr.yaml ``` ## Verify cluster status Use `kubectl get statefulset` to ensure AKO creates the StatefulSets for the custom resource. Terminal window ```shell kubectl get statefulset -n aerospike NAME READY AGE aerocluster-0 2/2 24s ``` Use `kubectl get pods` to check the pods to confirm the status. This step may take time as the pods provision resources, initialize, and become ready. Wait for the pods to switch to the Running state before you continue. Terminal window ```shell kubectl get pods -n aerospike NAME READY STATUS RESTARTS AGE aerocluster-0-0 1/1 Running 0 48s aerocluster-0-1 1/1 Running 0 48s ``` To verify the results, check the user and group ID that the container runs as. They should be set to non-zero values as configured in the `securityContext` section in the CR file. Terminal window ```shell kubectl exec -it aerocluster-0-0 -c aerospike-server -n aerospike -- id uid=1001 gid=1001 groups=1001 ``` Next, check that the device node permissions are accessible to runAsUser/runAsGroup: Terminal window ```bash kubectl exec -it aerocluster-0-0 -c aerospike-server -n aerospike -- ls -la /test/dev # Block device path /test/dev/xvdf total 8 drwxr-xr-x 2 root root 4096 Sep 29 18:30 . drwxr-xr-x 3 root root 4096 Sep 29 18:30 .. brw-rw---- 1 1001 1001 8, 64 Sep 29 18:30 xvdf ``` If the Aerospike cluster pods do not switch to Running status in a few minutes, refer to the [Troubleshooting Guide](https://aerospike.com/docs/kubernetes/reference/troubleshooting).