dekube transform that generates a fix-permissions busybox service for non-root containers with bind-mounted volumes. The Custodian — the 8th monk.
Heresy level: 3/10 — rewrites filesystem ownership behind the user's back. Not malicious, but presumptuous.
Bitnami images (PostgreSQL, Redis, MongoDB) and other non-root containers (securityContext.runAsUser) expect Unix permissions on their data directories. The host directory is typically owned by your user (UID 1000), so the container can't write to it. This causes mkdir: cannot create directory: Permission denied.
In Kubernetes, init containers or the kubelet handle this. In compose, someone has to chown.
- Scans K8s manifests for containers with
securityContext.runAsUser(container-level takes precedence over pod-level) - Inspects the final compose service volumes for bind mounts (
./,../,/prefixes) - Generates a single
fix-permissionsservice that runschown -R <uid>as root
Runs at priority 8000 — after everything that touches volumes (bitnami at 1500, flatten-internal-urls at 2000). This ensures it sees the final volume layout, including any rewrites from other transforms.
Every chown is logged to stderr for transparency.
Built into the helmfile2compose distribution — no install needed.
Via dekube-manager:
python3 dekube-manager.py fix-permissions8000 (after all other transforms that may add or rewrite volumes).
Public domain.