#1 Global Leader in Data Resilience
#1 Global Leader in Data Resilience
BACK TO KB LIST

How to Make Veeam Kasten for Kubernetes Grafana Pod rootless

KB ID: 4630
Product: Veeam Kasten for Kubernetes
Published: 2024-06-17
Last Modified: 2024-06-17
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Purpose

This article explains how to disable init-container in k10-grafana to run it as rootless.

Cause

Veeam Kasten for Kubernetes installation provides an instance of Grafana that is deployed automatically and can be used to query metrics from Kasten's Prometheus instance. This grafana pod is run as the user `grafana` with the UID & GID set to 472. However, by default, Veeam Kasten for Kubernetes uses an init-container, which runs as root to prepare the filesystem for grafana. 

Below are the default values for the Grafana in the Veeam Kasten for Kubernetes helm chart:

grafana:
    securityContext:
        runAsUser: 472
        runAsGroup: 472
        fsGroup: 472
    initChownData:
        enabled: true

The only function of the init-container (init-chown-data) is to set up the filesystem in grafana PVC with proper permissions. With the usage of the `fsGroup` in grafana pods's securityContext or by manually changing the ownership(for shared filesystems like NFS), the usage of the init-contianer can be eliminated.

Solution

This article provides instructions for two types of storageClasses with which the grafana PVC is provisioned.

  • Storages which supports fsGroup parameter.
  • Shared filesystem (eg. NFS)

Storages that supports fsGroup parameter

By default k10-grafana runs with fsGroup=472. All the files created by Grafana will have GID=472, and Kubernetes(or CSI driver) will set the same GID for all the files in the storage. 
This means that there is no need for any additional securityContext if the fsGroup is supported. The following helm values can be used to disable init-container(init-chown-data) in k10-grafana.

grafana:
    securityContext:
        runAsUser: 472
        runAsGroup: 472
        fsGroup: 472
    initChownData:
        enabled: false

Shared Filesystem (eg. NFS)

For shared filesystems,  "var/lib/grafana" directory has to be created manually on the shared filesystem and set the correct owner for it. 

Below are the commands to create the directory structure and change the ownership of the directories to the user that k10-grafana container use.

#create the directory structure
mkdir -p var/lib/grafana
#chown recursively 
chown -R 472:472 var/lib/grafana
The commands in the previous instructions assume that the current working directory is inside the Veeam Kasten for Kubernetes Grafana PVC or the directory referenced in the Veeam Kasten for Kubernetes Grafana PV (in the case of NFS volumes).

The helm values below can be used to disable init-container(init-chown-data) in k10-grafana.

grafana:
    securityContext:
        runAsUser: 472
        runAsGroup: 472
    initChownData:
        enabled: false
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Start using Veeam:
Download the product
&
Activate the license key
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.