Keycloak Operator on DOKS: Postgres fails with '/var/lib/pgsql/data/userdata': Permission denied


I’m trying to deploy Keycloak into our test cluster on DigitalOcean Kubernetes (DOKS).

My manifest yaml looks like this:

kind: Keycloak
  name: mykeycloak
    app: mykeycloak
  instances: 1
    enabled: False

The deploy looks okay at first, but the postgres pod fails to start, and this causes the keycloak pod to fail as well.

$ kubectl get pods
NAME                                 READY   STATUS             RESTARTS   AGE
keycloak-0                           0/1     CrashLoopBackOff   4          7m6s
keycloak-operator-6687dfcbb5-jqb95   1/1     Running            0          100m
keycloak-postgresql-cf5f98bd-24d7m   0/1     CrashLoopBackOff   6          7m6s

Getting the logs shows that it’s a permissions problem with the volume Postgres is trying to use for data:

$ kubectl logs keycloak-postgresql-cf5f98bd-24d7m -p 
mkdir: cannot create directory '/var/lib/pgsql/data/userdata': Permission denied

Some googling finds results like this one, that indicate the problem is likely with the PersistentVolumeClaim and/or SELinux.

Here’s the pv in question:

$ kubectl describe pv pvc-64eb7143-300e-4c31-9089-99af1732b194
Name:            pvc-64eb7143-300e-4c31-9089-99af1732b194
Labels:          <none>
Finalizers:      [ external-attacher/dobs-csi-digitalocean-com]
StorageClass:    do-block-storage
Status:          Bound
Claim:           keycloak/keycloak-postgresql-claim
Reclaim Policy:  Delete
Access Modes:    RWO
VolumeMode:      Filesystem
Capacity:        1Gi
Node Affinity:   <none>
    Type:              CSI (a Container Storage Interface (CSI) volume source)
    FSType:            ext4
    VolumeHandle:      137d2b18-d8bf-11ea-9cdd-0a58ac14c099
    ReadOnly:          false
Events:                <none>

Can somebody help figure out what I need to change in order to allow Postgres and Keycloak to start properly in a DO Kubernetes cluster?

Thanks in advance for any help.

I’m having the exact same issue. Any help is much appreciated.



I have the same problem.

1 Like

Hello i have the exact same problem, with the Keycloak Operator.
On an EKS cluster, Kubernetes version 1.17

+1 Same problem running Keycloak Operator on top of AWS EKS cluster

1 Like

+1 Same problem running keycloak operator on top of AWS EKS Cluster.

Any Advice is really appreciated.

In some github posts, they have suggested the solution in openshift.

I was able to solve the above issue by patching the database deployment yaml with the below.

  fsGroup: 2000
  runAsNonRoot: true
  runAsUser: 1000

Thank you! Can you explain a little bit about what this change does/why it’s necessary? Or where did you find this suggestion?