Create an Aerospike cluster on Kubernetes with a non-root user
For the complete documentation index see: llms.txt
All documentation pages available in markdown.
To deploy a non-root Aerospike cluster with AKO, create an Aerospike CR file that describes the cluster.
At minimum, include the cluster size, Aerospike configuration, and system resources.
Then use kubectl to apply the CR file to your Kubernetes cluster.
Requirements
Configure CRI container runtimes (containerd, CRI-O)
For non-root containers to use devices, cluster administrators must opt in to the functionality by setting device_ownership_from_security_context = true on each worker node.
The flag is available in CRI-O v1.22 release and containerd v1.6.6 and later.
For more details, see Non-root containers and devices.
For containerd, set:
[plugins] [plugins."io.containerd.grpc.v1.cri"] device_ownership_from_security_context = trueFor CRI-O, set:
[crio.runtime] device_ownership_from_security_context = trueRestart the container runtime service:
sudo systemctl restart containerd# orsudo systemctl restart crioVerify that device_ownership_from_security_context = true is set:
sudo crictl info..."disableHugetlbController": true,"device_ownership_from_security_context": true,"ignoreImageDefinedVolumes": false,"netnsMountsUnderStateDir": false,...Install Aerospike Kubernetes Operator
Before deploying your Aerospike cluster, install Aerospike Kubernetes Operator on your Kubernetes cluster by using either:
Prepare the namespace, storage and secrets
Before creating your Aerospike cluster CR, create the required namespace, storage and secrets using either:
Create Aerospike Cluster CR
See the cluster configuration settings for details on the Aerospike cluster CR file. You can find sample CR files for different configurations in the main Aerospike Kubernetes Operator repository.
Edit the CR file to add a securityContext section under podSpec.
... podSpec: multiPodPerHost: true securityContext: runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001...Deploy the Aerospike Cluster
Use kubectl apply to apply the CR file you created and deploy the Aerospike cluster.
kubectl apply -f config/samples/ssd_storage_cluster_cr.yamlVerify cluster status
Use kubectl get statefulset to ensure AKO creates the StatefulSets for the cluster defined in the CR file.
kubectl get statefulset -n aerospike
NAME READY AGEaerocluster-0 2/2 24sUse kubectl get pods to check the pods to confirm the status. This step may take time as the pods provision resources, initialize, and become ready.
Wait for the pods to switch to the Running state before you continue.
kubectl get pods -n aerospike
NAME READY STATUS RESTARTS AGEaerocluster-0-0 1/1 Running 0 48saerocluster-0-1 1/1 Running 0 48sTo verify the results, check the user and group ID that the container runs as.
They should be set to non-zero values as configured in the securityContext section in the CR file.
kubectl exec -it aerocluster-0-0 -c aerospike-server -n aerospike -- id
uid=1001 gid=1001 groups=1001Next, check that the device node permissions are accessible to runAsUser and runAsGroup:
kubectl exec -it aerocluster-0-0 -c aerospike-server -n aerospike -- ls -la /test/dev # Block device path /test/dev/xvdf
total 8drwxr-xr-x 2 root root 4096 Sep 29 18:30 .drwxr-xr-x 3 root root 4096 Sep 29 18:30 ..brw-rw---- 1 1001 1001 8, 64 Sep 29 18:30 xvdfIf the Aerospike cluster pods do not switch to Running status in a few minutes, refer to the Troubleshooting Guide.