EKS deployment failed: Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK #90
Description
Hello, I tried to deploy the Boundary controller to EKS Kubernetes version 1.22, but container does not have enough privileges to chown the /boundary directory:
chown: /boundary/..2022_07_29_07_35_20.877353490/controller.hcl: Read-only file system
chown: /boundary/..2022_07_29_07_35_20.877353490: Read-only file system
chown: /boundary/..2022_07_29_07_35_20.877353490: Read-only file system
chown: /boundary/controller.hcl: Read-only file system
chown: /boundary/..data: Read-only file system
chown: /boundary: Read-only file system
chown: /boundary: Read-only file system
Could not chown /boundary (may not have appropriate permissions)
Couldn't start Boundary with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK
The boundary docker image: 0.9
I modified a bit example resources:
controller.tf:
resource "kubernetes_namespace" "boundary" {
metadata {
name = var.namespace
}
}
resource "kubernetes_secret" "boundary_url" {
depends_on = [
kubernetes_namespace.boundary,
]
metadata {
name = "boundary-rds-url"
labels = var.controller_labels
namespace = var.namespace
}
data = {
POSTGRESS_URL="postgresql://${var.database_username}:${var.database_password}@${var.database_address}:${var.database_port}/${var.database_name}"
}
}
resource "kubernetes_deployment" "boundary" {
depends_on = [
kubernetes_namespace.boundary,
kubernetes_secret.boundary_url
]
metadata {
name = var.controller_deployment
labels = var.controller_labels
namespace = var.namespace
}
spec {
replicas = 1
selector {
match_labels = var.controller_labels
}
template {
metadata {
labels = var.controller_labels
}
spec {
volume {
name = "controller-config"
config_map {
name = "controller-config"
}
}
container {
image = "hashicorp/boundary:${var.image_ver}"
name = "controller"
image_pull_policy = var.image_pull_pilicy
volume_mount {
name = "controller-config"
mount_path = "/boundary"
read_only = false
}
args = [
"server",
"-config",
"/boundary/controller.hcl"
]
env {
name = "POSTGRESS_URL"
value_from {
secret_key_ref {
name = "boundary-rds-url"
key = "POSTGRESS_URL"
}
}
}
env {
name = "HOSTNAME"
value = "controller"
}
port {
container_port = 9200
}
port {
container_port = 9201
}
port {
container_port = 9202
}
liveness_probe {
http_get {
path = "/"
port = 9200
}
}
readiness_probe {
http_get {
path = "/"
port = 9200
}
}
}
}
}
}
}
resource "kubernetes_config_map" "controller_config" {
depends_on = [
kubernetes_namespace.boundary,
]
metadata {
name = "controller-config"
labels = var.controller_labels
namespace = var.namespace
}
data = {
"controller.hcl" = <<EOF
disable_mlok = true
controller {
name = "scylla-cloud-boundary"
description = "Boundary controller"
database {
url = "env://POSTGRESS_URL"
}
}
listener "tcp" {
address = "0.0.0.0"
purpose = "api"
tls_disable = true
}
listener "tcp" {
address = "0.0.0.0"
purpose = "cluster"
tls_disable = true
}
listener "tcp" {
address = "0.0.0.0"
purpose = "proxy"
tls_disable = true
}
kms "awskms" {
purpose = "root"
kms_key_id = aws_kms_alias.root.kms_id
}
kms "awskms" {
purpose = "worker-auth"
kms_key_id = aws_kms_alias.worker_auth.kms_id
}
kms "awskms" {
purpose = "recovery"
kms_key_id = aws_kms_alias.recovery.kms_id
}
EOF
}
}
resource "kubernetes_service" "boundary_controller" {
depends_on = [
kubernetes_namespace.boundary,
]
metadata {
name = var.controller_deployment
labels = var.controller_labels
namespace = var.namespace
}
spec {
type = "ClusterIP"
selector = var.controller_labels
port {
name = "api"
port = 9200
target_port = 9200
}
port {
name = "cluster"
port = 9201
target_port = 9201
}
port {
name = "data"
port = 9202
target_port = 9202
}
}
}