bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity

authentik: add fsGroup:1000 to server + worker so non-root uid can write /media

Browse Source 
PermissionError: [Errno 13] Permission denied: '/media/public' in tenant_files
migration because Authentik container runs as uid 1000 but Longhorn PVC mounts
root:root by default. fsGroup on Pod securityContext recursively chgrps the
PVC mount to gid 1000 + chmods g+rwx.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andrew Stoltz
2026-05-25 15:58:35 -05:00
parent 495e884c41
commit 03126d5584
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
apps/authentik/authentik.yaml
View File

@@ -227,6 +227,11 @@ spec:
labels: labels:
app: authentik-server app: authentik-server
spec: spec:
securityContext:
# Authentik image runs as uid 1000 "authentik" but the Longhorn PVC mounts
# root:root by default. fsGroup recursively chgrp + chmod g+rwx so the
# non-root container can mkdir /media/public during the tenant_files migration.
fsGroup: 1000
containers: containers:
- name: server - name: server
image: ghcr.io/goauthentik/server:2024.12.3 image: ghcr.io/goauthentik/server:2024.12.3
@@ -330,6 +335,9 @@ spec:
labels: labels:
app: authentik-worker app: authentik-worker
spec: spec:
securityContext:
# Same as server pod — non-root uid 1000 needs PVC group write.
fsGroup: 1000
containers: containers:
- name: worker - name: worker
image: ghcr.io/goauthentik/server:2024.12.3 image: ghcr.io/goauthentik/server:2024.12.3