chore(comment): add comment

2026-05-03 13:43:32 +02:00 · 2026-05-03 13:43:32 +02:00 · e42ff64f7b
parent 122e03f3ec
commit e42ff64f7b
1 changed files with 10 additions and 0 deletions
--- a/prototypes/ocis/helm/ocis.yaml
+++ b/prototypes/ocis/helm/ocis.yaml
@ -102,6 +102,16 @@ services:
        - ReadWriteOnce

  web:
+    # GOTCHA: if this PVC is recreated, /branding/logo POST/DELETE will
+    # 500 with "permission denied". The chart mounts an `apps` emptyDir
+    # at /var/lib/ocis/web/assets/apps; kubelet auto-creates the parent
+    # dirs as root:root 0755 *after* fsGroup runs, and local-path's
+    # hostPath PV doesn't get fsGroup recursion — so user 1000 can't
+    # mkdir themes/ to store the uploaded logo. Was masked while ocis
+    # ran as PSS=privileged (root); surfaced after PSS=restricted.
+    # Remediation: one-shot privileged Job in kube-system, hostPath-
+    # mount the local-path PV directory, `chown -R 1000:1000` it.
+    # Permanent fix: switch to a CSI storageClass (hcloud-volumes).
    persistence:
      enabled: true
      storageClassName: local-path