Keycloak Operator on DOKS: Postgres fails with '/var/lib/pgsql/data/userdata': Permission denied

Hello,

I’m trying to deploy Keycloak into our test cluster on DigitalOcean Kubernetes (DOKS).

My manifest yaml looks like this:

apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
  name: mykeycloak
  labels:
    app: mykeycloak
spec:
  instances: 1
  externalDatabase:
    enabled: False

The deploy looks okay at first, but the postgres pod fails to start, and this causes the keycloak pod to fail as well.

$ kubectl get pods
NAME                                 READY   STATUS             RESTARTS   AGE
keycloak-0                           0/1     CrashLoopBackOff   4          7m6s
keycloak-operator-6687dfcbb5-jqb95   1/1     Running            0          100m
keycloak-postgresql-cf5f98bd-24d7m   0/1     CrashLoopBackOff   6          7m6s

Getting the logs shows that it’s a permissions problem with the volume Postgres is trying to use for data:

$ kubectl logs keycloak-postgresql-cf5f98bd-24d7m -p 
mkdir: cannot create directory '/var/lib/pgsql/data/userdata': Permission denied

Some googling finds results like this one, that indicate the problem is likely with the PersistentVolumeClaim and/or SELinux.

Here’s the pv in question:

$ kubectl describe pv pvc-64eb7143-300e-4c31-9089-99af1732b194
Name:            pvc-64eb7143-300e-4c31-9089-99af1732b194
Labels:          <none>
Annotations:     pv.kubernetes.io/provisioned-by: dobs.csi.digitalocean.com
Finalizers:      [kubernetes.io/pv-protection external-attacher/dobs-csi-digitalocean-com]
StorageClass:    do-block-storage
Status:          Bound
Claim:           keycloak/keycloak-postgresql-claim
Reclaim Policy:  Delete
Access Modes:    RWO
VolumeMode:      Filesystem
Capacity:        1Gi
Node Affinity:   <none>
Message:         
Source:
    Type:              CSI (a Container Storage Interface (CSI) volume source)
    Driver:            dobs.csi.digitalocean.com
    FSType:            ext4
    VolumeHandle:      137d2b18-d8bf-11ea-9cdd-0a58ac14c099
    ReadOnly:          false
    VolumeAttributes:      storage.kubernetes.io/csiProvisionerIdentity=1596724002504-8081-dobs.csi.digitalocean.com
Events:                <none>

Can somebody help figure out what I need to change in order to allow Postgres and Keycloak to start properly in a DO Kubernetes cluster?

Thanks in advance for any help.

I’m having the exact same issue. Any help is much appreciated.

Thanks!

2 Likes

I have the same problem.

1 Like

Hello i have the exact same problem, with the Keycloak Operator.
On an EKS cluster, Kubernetes version 1.17

+1 Same problem running Keycloak Operator on top of AWS EKS cluster

1 Like

+1 Same problem running keycloak operator on top of AWS EKS Cluster.

Any Advice is really appreciated.

In some github posts, they have suggested the solution in openshift.

I was able to solve the above issue by patching the database deployment yaml with the below.

securitycontext:
  fsGroup: 2000
  runAsNonRoot: true
  runAsUser: 1000
3 Likes

Thank you! Can you explain a little bit about what this change does/why it’s necessary? Or where did you find this suggestion?