FileRise runs cleanly on Kubernetes. The container needs persistent storage and standard env vars.
1) Volumes / PVCs
FileRise expects these writable paths:
/var/www/uploads(file data)/var/www/users(users, admin config, Pro license)/var/www/metadata(indexes, tags, logs)
Example PVCs:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: filerise-uploads
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 200Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: filerise-users
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: filerise-metadata
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 5GiIf you enable encryption at rest, back up /uploads and /metadata together.
2) Deployment example
apiVersion: apps/v1
kind: Deployment
metadata:
name: filerise
spec:
replicas: 1
selector:
matchLabels:
app: filerise
template:
metadata:
labels:
app: filerise
spec:
containers:
- name: filerise
image: error311/filerise-docker:latest
ports:
- containerPort: 80
env:
- name: TIMEZONE
value: "America/New_York"
- name: TOTAL_UPLOAD_SIZE
value: "10G"
- name: SECURE
value: "true"
- name: PERSISTENT_TOKENS_KEY
value: "change_me"
- name: SCAN_ON_START
value: "true"
- name: CHOWN_ON_START
value: "true"
# Recommended behind proxies/subpaths:
# - name: FR_PUBLISHED_URL
# value: "https://example.com/files"
# - name: FR_TRUSTED_PROXIES
# value: "10.0.0.0/8"
volumeMounts:
- name: uploads
mountPath: /var/www/uploads
- name: users
mountPath: /var/www/users
- name: metadata
mountPath: /var/www/metadata
volumes:
- name: uploads
persistentVolumeClaim:
claimName: filerise-uploads
- name: users
persistentVolumeClaim:
claimName: filerise-users
- name: metadata
persistentVolumeClaim:
claimName: filerise-metadata3) Ingress / reverse proxy notes
Subpath deployments (e.g. /files)
For Traefik, the recommended pattern is:
- Route
PathPrefix("/files") - Strip
/filesbefore forwarding to the service - Preserve the prefix with
X-Forwarded-Prefix - Set
FR_PUBLISHED_URL
Example Traefik middleware:
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: filerise-strip-files
namespace: filerise
spec:
stripPrefix:
prefixes:
- /filesIngressRoute example:
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: filerise
namespace: filerise
spec:
entryPoints:
- https
routes:
- match: Host(`example.com`) && PathPrefix(`/files`)
kind: Rule
middlewares:
- name: filerise-strip-files
services:
- name: filerise
port: 8080
tls:
secretName: example-tlsRecommended env:
- name: FR_PUBLISHED_URL
value: "https://example.com/files"If your proxy cannot send X-Forwarded-Prefix, set FR_BASE_PATH=/files instead.
4) Encryption at rest (k8s considerations)
- Encryption keys live in
/metadata - Encrypted content lives in
/uploads - Back up both PVCs together
Encrypted folders disable:
- WebDAV
- Sharing
- ZIP create/extract
- ONLYOFFICE editing
5) Operational tips
- Use a dedicated uploads PVC (avoid mounting massive share roots).
SCAN_ON_START=truefor first run; setfalsefor normal restarts.CHOWN_ON_START=trueis helpful initially; disable after perms are correct.- Single replica is recommended (FileRise assumes a single active instance).