2121 - [ From FiftyOne Enterprise Version 2.0.0 or Higher] ( #from-fiftyone-enterprise-version-200-or-higher )
2222 - [ FiftyOne Enterprise v2.19+ Telemetry Sidecars] ( #fiftyone-enterprise-v219-telemetry-sidecars )
2323 - [ Cluster Requirements] ( #cluster-requirements )
24+ - [ Volume ownership (upgrading from v2.18 or earlier)] ( #volume-ownership-upgrading-from-v218-or-earlier )
2425 - [ Opting out of Telemetry] ( #opting-out-of-telemetry )
2526 - [ FiftyOne Enterprise v2.16+ Additional API Routes] ( #fiftyone-enterprise-v216-additional-api-routes )
2627 - [ FiftyOne Enterprise v2.15+ Additional API Routes] ( #fiftyone-enterprise-v215-additional-api-routes )
@@ -169,17 +170,16 @@ opt into a `PersistentVolumeClaim` with
169170
1701711. **`shareProcessNamespace: true`** is set on all four workloads so
171172 the sidecar can read `/proc/<pid>/fd/1` of the target container.
172- 1. **The teams-do sidecar runs as root with `SYS_PTRACE`** (required for
173- `py-spy` and `/proc` access).
174- Clusters that enforce
175- [Pod Security Admission][psa]
176- `restricted`, or admission policies (OPA/Gatekeeper, Kyverno) that
177- block `runAsUser: 0` or capability adds, will reject these pods at
178- admission.
179- On such clusters, either:
180- - allow the chart' s ` namespace.name` namespace at PSA ` baseline`
181- (or relax the relevant admission policy), or
182- - disable telemetry with ` telemetry.enabled: false` .
173+ 1. **Sidecars run as UID/GID 1000** (matching the workload image' s
174+ user) with ` cap_drop: ALL` . The delegated-operator sidecar
175+ additionally has ` SYS_PTRACE` added (required for ` py-spy` stack
176+ sampling); the other three sidecars run with no capabilities. This
177+ posture is compatible with
178+ [Pod Security Admission][psa] ` restricted` out of the box.
179+ Clusters enforcing additional admission policies (OPA/Gatekeeper,
180+ Kyverno) that explicitly block ` SYS_PTRACE` on the
181+ delegated-operator namespace can either allow that single capability
182+ or disable telemetry with ` telemetry.enabled: false` .
183183
184184** External Redis:**
185185To point at a managed Redis (ElastiCache, MemoryStore, an existing
@@ -195,6 +195,62 @@ telemetry:
195195The chart skips the bundled Redis' `Deployment` and `Service` and wires
196196every consumer at this URL.
197197
198+ ##### Volume ownership (upgrading from v2.18 or earlier)
199+
200+ In v2.19+ all workloads and their telemetry sidecars run as UID/GID
201+ 1000 (UID/GID 999 for the bundled Redis, matching the upstream
202+ `redis:7-alpine` image). The chart sets `podSecurityContext.fsGroup`
203+ on each pod so Kubernetes group-chowns the mounted volumes at attach
204+ time. For most CSI drivers this is automatic on chart upgrade — no
205+ operator action required.
206+
207+ **Two edge cases need manual remediation:**
208+
209+ 1. **CSI drivers that ignore `fsGroup`** (notably NFS, some Filestore
210+ configurations, certain `ReadWriteMany` volumes): the recursive
211+ chown is skipped, leaving pre-existing data owned by whatever UID
212+ the prior root-running containers wrote it as. The new UID-1000
213+ container can' t write back. Symptom: workload pod crash-loops with
214+ ` PermissionError: [Errno 13]` against ` /opt/plugins` or
215+ ` /data` shortly after a chart upgrade.
216+
217+ Remediate by chowning the volume contents once, from a debug pod
218+ with elevated privileges:
219+
220+ ` ` ` shell
221+ kubectl run -n < namespace> chown-fix --rm -i --restart=Never \
222+ --image=alpine \
223+ --overrides=' {"spec":{"containers":[{"name":"chown-fix","image":"alpine","command":["chown","-R","1000:1000","/v"],"volumeMounts":[{"name":"v","mountPath":"/v"}],"securityContext":{"runAsUser":0}}],"volumes":[{"name":"v","persistentVolumeClaim":{"claimName":"<your-pvc>"}}]}}'
224+ ` ` `
225+
226+ Use UID ` 999` (not ` 1000` ) for the Redis data PVC if you opted into
227+ ` telemetry.redis.persistence.enabled: true` .
228+
229+ 2. ** Very large pre-populated PVs** (e.g. multi-GB ` plugins-vol` ): the
230+ recursive chown on first attach can stall pod startup for several
231+ minutes — readiness probes may fail long enough for the rollout to
232+ look stuck before recovering. Mitigate by setting:
233+
234+ ` ` ` yaml
235+ apiSettings:
236+ podSecurityContext:
237+ fsGroupChangePolicy: OnRootMismatch
238+ fiftyoneAppSettings:
239+ podSecurityContext:
240+ fsGroupChangePolicy: OnRootMismatch
241+ pluginsSettings:
242+ podSecurityContext:
243+ fsGroupChangePolicy: OnRootMismatch
244+ ` ` `
245+
246+ With ` OnRootMismatch` the recursive walk is skipped when the
247+ volume' s root directory already matches the target GID — effectively
248+ a one-time cost rather than per-rollout. Requires Kubernetes 1.23+.
249+
250+ Fresh installs are unaffected: empty PVs come up correctly via
251+ `fsGroup` regardless of CSI driver, and there is no pre-existing
252+ root-owned data to chown.
253+
198254##### Opting out of Telemetry
199255
200256Telemetry is enabled by default.
0 commit comments