Add documentation for PVC permissions in Helm deployments

github-actions[bot] · htahir1 · github-actions[bot] · commit db7dfe60fc4e · 2025-11-26T09:20:58.000Z
Add a new section to the Helm deployment documentation explaining the fsGroup security context requirement for persistent volumes. This documents the default podSecurityContext.fsGroup: 1000 setting and warns users about maintaining it when overriding podSecurityContext. Relates to the Helm chart changes that set fsGroup by default to prevent permission errors when using persistent volumes. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Hamza Tahir <htahir1@users.noreply.github.com>
diff --git a/docs/book/getting-started/deploying-zenml/deploy-with-helm.md b/docs/book/getting-started/deploying-zenml/deploy-with-helm.md
@@ -147,6 +147,30 @@ zenml login http://localhost:8080
 
 This is just a simple example only fit for testing and evaluation purposes. For production deployments, you should use an external database and an Ingress service with TLS certificates to secure and expose the ZenML server to the internet.
 
+### Deployment with persistent local database
+
+When using a local SQLite database with persistence enabled, you need to configure proper volume permissions. The ZenML Helm chart sets `podSecurityContext.fsGroup: 1000` by default to ensure the ZenML container (running as UID 1000) can write to the persistent volume.
+
+Example configuration:
+
+```yaml
+zenml:
+  database:
+    persistence:
+      enabled: true
+      size: "10Gi"
+      # storageClassName: ""  # Optional: use default storage class if not specified
+
+# podSecurityContext.fsGroup is set to 1000 by default
+# This ensures the container can write to the persistent volume
+```
+
+{% hint style="warning" %}
+If you override `podSecurityContext` in your custom values, ensure that `fsGroup: 1000` is included. Without this setting, the persistent volume will be mounted with root:root ownership, causing permission errors and preventing the ZenML server from starting.
+{% endhint %}
+
+This configuration is also required when using persistent volumes for database backup dumps. See the [Database backup and recovery](deploy-with-helm.md#database-backup-and-recovery) section for more details.
+
 ### Basic deployment with local database
 
 This deployment use-case still uses a local database, but it exposes the ZenML server to the internet using an Ingress service with TLS certificates generated by the cert-manager and signed by Let's Encrypt.
