fix: correct security context UIDs to match Sequin image (1000, not 1001)#11
Open
o6uoq wants to merge 1 commit intosequinstream:mainfrom
Open
fix: correct security context UIDs to match Sequin image (1000, not 1001)#11o6uoq wants to merge 1 commit intosequinstream:mainfrom
o6uoq wants to merge 1 commit intosequinstream:mainfrom
Conversation
… 1001) The Sequin Docker image (sequin/sequin) creates its `app` user via `useradd --create-home app` which assigns UID/GID 1000 on Debian. The chart defaults were set to 1001 (Bitnami convention for Bitnami-built images), causing permission errors on fresh installs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The chart defaults
containerSecurityContext.runAsUser,runAsGroup, andpodSecurityContext.fsGroupto1001(Bitnami convention for Bitnami-built images). However, the Sequin Docker image (sequin/sequin) creates itsappuser with UID/GID 1000 — the default assigned byuseradd --create-home appin the Dockerfile. This mismatch causes permission errors on fresh installs unless users disable both security contexts.Fix
Change three values in
values.yaml:podSecurityContext.fsGroupcontainerSecurityContext.runAsUsercontainerSecurityContext.runAsGroupBackward compatibility
containerSecurityContext.enabled: false/podSecurityContext.enabled: falseas a workaround are unaffected — their overrides still take effect.adaptSecurityContext: autoare unaffected — the platform overrides UIDs.Verification
Testing
helm lint .— passeshelm template | kubectl apply --dry-run=server— all manifests validkubectl exec deploy/sequin-test -- idreturnsuid=1000(app) gid=1000(app)