Summary
Some clusters enforce strict securityContext (non-root, dropped caps). The bundled Kong image entrypoint/wrapper.sh flow may chown or write generated config under paths that require CHOWN / FOWNER or running as uid 0 during startup.
Operators then patch Kong’s Deployment to run as root temporarily or add POSIX file capabilities so Kong can start reliably.
Suggested direction
- Align chart defaults and documented
securityContext with what the upstream Kong image actually requires for config generation.
- If root is avoidable, ship an entrypoint that writes only to
emptyDir volumes with group-writable paths and run as non-root consistently.
Workaround
Override deployment.kong.securityContext / podSecurityContext in Helm values or post-render patches (e.g. runAsUser: 0, add CHOWN, etc.).
Summary
Some clusters enforce strict
securityContext(non-root, dropped caps). The bundled Kong image entrypoint/wrapper.shflow may chown or write generated config under paths that requireCHOWN/FOWNERor running as uid 0 during startup.Operators then patch Kong’s Deployment to run as root temporarily or add POSIX file capabilities so Kong can start reliably.
Suggested direction
securityContextwith what the upstream Kong image actually requires for config generation.emptyDirvolumes with group-writable paths and run as non-root consistently.Workaround
Override
deployment.kong.securityContext/ podSecurityContext in Helm values or post-render patches (e.g.runAsUser: 0, addCHOWN, etc.).