简体繁体 English

Azure Kubernetes 服务 - 持久卷/持久卷声明更改权限

[英]Azure Kubernetes Service - Persistent Volume / Persistent Volume Claim change permissions

原文 2021-09-30 11:51:07 2 1 azure/ kubernetes/ azure-storage/ azure-aks/ persistent-volumes

I'm new with Azure infrastructure and I'm trying to deploy Jenkins on AKS and be able to preserve all of my Jenkins data if the container stopped working and I run with a permissions issue for my newly created PVC.我是 Azure 基础架构的新手，我正在尝试在 AKS 上部署 Jenkins，并且如果容器停止工作并且我在运行时遇到新创建的 PVC 的权限问题，则能够保留我的所有 Jenkins 数据。

I want to change the permissions for a specific folder and files in the PVC and the "chmod" command looks like running but doesn't do anything and the permissions are still set to 777 instead of my wanted permissions.我想更改 PVC 中特定文件夹和文件的权限，“chmod”命令看起来像在运行，但没有做任何事情，权限仍然设置为 777 而不是我想要的权限。

I have noticed that the Storage Class default permissions value for dirs and files are 777 but I need some specific files to be with other permissions.我注意到目录和文件的存储类默认权限值为 777，但我需要一些特定文件具有其他权限。

Can I do this or there is any other option to do this?我可以这样做还是有其他选择可以做到这一点？

1 个解决方案

I want to change the permissions for a specific folder and files in the PVC and the "chmod" command looks like running but doesn't do anything and the permissions are still set to 777 instead of my wanted permissions.我想更改 PVC 中特定文件夹和文件的权限，“chmod”命令看起来像在运行，但没有做任何事情，权限仍然设置为 777 而不是我想要的权限。

If you want to configure permissions in Kubernetes, you must use the security context :如果要在 Kubernetes 中配置权限，则必须使用安全上下文：

A security context defines privilege and access control settings for a Pod or Container.安全上下文定义了 Pod 或容器的权限和访问控制设置。 Security context settings include, but are not limited to:安全上下文设置包括但不限于：

Discretionary Access Control: Permission to access an object, like a file, is based on user ID (UID) and group ID (GID) .自主访问控制：访问对象（如文件）的权限基于用户 ID (UID) 和组 ID (GID) 。

Security Enhanced Linux (SELinux) : Objects are assigned security labels. Security Enhanced Linux (SELinux) ：对象被分配了安全标签。

Running as privileged or unprivileged.以特权或非特权身份运行。

Linux Capabilities : Give a process some privileges, but not all the privileges of the root user. Linux Capabilities ：给进程一些权限，但不是root用户的所有权限。

AppArmor : Use program profiles to restrict the capabilities of individual programs. AppArmor ：使用程序配置文件来限制单个程序的功能。

Seccomp : Filter a process's system calls. Seccomp ：过滤进程的系统调用。

AllowPrivilegeEscalation: Controls whether a process can gain more privileges than its parent process. AllowPrivilegeEscalation：控制进程是否可以获得比其父进程更多的权限。 This bool directly controls whether theno_new_privs flag gets set on the container process.这个 bool 直接控制是否在容器进程上设置no_new_privs标志。 AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged OR 2) has CAP_SYS_ADMIN . AllowPrivilegeEscalation 始终为真，当容器为：1) 作为 Privileged 运行或 2) 具有CAP_SYS_ADMIN 。

readOnlyRootFilesystem: Mounts the container's root filesystem as read-only. readOnlyRootFilesystem：将容器的根文件系统挂载为只读。

The above bullets are not a complete set of security context settings -- please see SecurityContext for a comprehensive list.上述项目符号不是一组完整的安全上下文设置——请参阅SecurityContext以获取完整列表。

For more information about security mechanisms in Linux, see Overview of Linux Kernel Security Features有关 Linux 中安全机制的更多信息，请参阅Linux 内核安全功能概述

In your case, if you want to grant permissions for a specific object (eg a file), you can use Discretionary Access Control :在您的情况下，如果您想授予特定对象（例如文件）的权限，您可以使用Discretionary Access Control ：

Containers that run as root frequently have far more permissions than their workload requires which, in case of compromise, could help an attacker further their attack.以 root 身份运行的容器通常拥有比其工作负载所需的权限多得多的权限，如果受到攻击，可能会帮助攻击者进一步攻击。

Containers still rely on the traditional Unix security model (called discretionary access control or DAC) - everything is a file, and permissions are granted to users and groups.容器仍然依赖于传统的 Unix 安全模型（称为自由访问控制或 DAC）——一切都是一个文件，权限被授予用户和组。

You can also configure volume permission and ownership change policy for Pods .您还可以为 Pod 配置卷权限和所有权更改策略。

See also:也可以看看：