Kubernetes - 为每个卷(而不是每个 pod)设置自定义权限/文件所有权
[英]Kubernetes - setting custom permissions/file ownership per volume (and not per pod)
问题描述
Is there any way to set per-volume permissions/ownership in Kubernetes declaratively?
有没有办法在 Kubernetes 中以声明方式设置每个卷的权限/所有权?
Usecase:用例:
- a pod is composed of two containers, running as two distinct users/groups, both of them non-root, and are unable to
sudo一个 pod 由两个容器组成,作为两个不同的用户/组运行,他们都是非 root,并且无法sudo - the containers mount a volume each, and need to create files in these volumes (eg both of them want to write logs)容器分别挂载一个卷,并需要在这些卷中创建文件(例如,它们都想写入日志)
We know that we can use fsGroup , however that is a pod-level declaration.我们知道我们可以使用fsGroup ,但这是一个 pod 级别的声明。 So even if we pick fsGroup equal to user in first container, then we are going to have permission issues in the other one.所以即使我们在第一个容器中选择 fsGroup 等于用户,那么我们也会在另一个容器中遇到权限问题。 (ref: Kubernetes: how to set VolumeMount user group and file permissions ) (参考: Kubernetes:如何设置 VolumeMount 用户组和文件权限)
2 个解决方案
解决方案1
4 已采纳 2017-10-27 11:35:18
One solution is to use init-container to change permissions of mounted directories .一种解决方案是使用 init-container 更改挂载目录的权限。
The init-container would need to mount both volumes (from both containers), and do the needed chown / chmod operations. init-container 需要挂载两个卷(从两个容器),并执行所需的chown / chmod操作。
Drawbacks:缺点:
- extra container that needs to be aware of other containers' specific (ie. uid/gid)需要了解其他容器特定的额外容器(即 uid/gid)
- init container needs to run as root to perform
chowninit 容器需要以 root 身份运行才能执行chown
解决方案2
0 2019-09-13 04:53:38
It can be done with adding one init container with root access.可以通过添加一个具有 root 访问权限的 init 容器来完成。
initContainers:
- name: changeowner
image: busybox
command: ["sh", "-c", "chown -R 200:200 /<volume>"]
volumeMounts:
- name: <your volume>
mountPath: /<volume>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.