stackoom
  简体   繁体   中英

How can I give my non-root user write permissions on a kubernetes volume mount?

 原文  2023-01-02 15:02:37       kubernetes/ amazon-eks

Question

From my understanding (based on this guide https://snyk.io/blog/10-kube.netes-security-context-settings-you-should-understand/ ), if I have the following security context specified for some kube.netes pod

securityContext:
  # Enforce to be run as non-root user
  runAsNonRoot: true
  # Random values should be fine
  runAsUser: 1001
  runAsGroup: 1001
  # Automatically convert mounts to user group
  fsGroup: 1001
  # For whatever reasons this is not working
  fsGroupChangePolicy: "Always"

I expect this pod to be run as user 1001 with the group 1001. This is working as expected, because running id in the container results in: uid=1001 gid=1001 groups=1001 .

The file system of all mounts should automatically be accessible by user group 1001, because we specified fsGroup and fsGroupChangePolicy . I guess that this also works because when running ls -l in one of the mounted folders, I can see that the access rights for the files look like this: -rw-r--r-- 1 50004 50004 . Ownership is still with the uid and gid it was initialised with but I can see that the file is now readable for others.

The question now is how can I add write permission for my fsGroup those seem to still be missing?

1 answers

solution1
 2  2023-01-02 18:36:43

You need to add an additional init_container in your pod/deployment/{supported_kinds} with the commands to give/change the permissions on the volume mounted on the pod to the userID which container is using while running.

 initContainers:
  - name: volumepermissions
    image: busybox ## any image having linux utilities mkdir,echo,chown will work.
    imagePullPolicy: IfNotPresent
    env:
      - name: "VOLUME_DATA_DIR"
        value: mountpath_for_the_volume
    command:
      - sh
      - -c
      - |
        mkdir -p $VOLUME_DATA_DIR
        chown -R 1001:1001 $VOLUME_DATA_DIR 

        echo 'Volume permissions OK ✓'
    volumeMounts:
      - name: data
        mountPath: mountpath_for_the_volume

This is necessary when a container in a pod is running as a user other than root and needs write permissions on a mounted volume.

if this is a helm template this init container can be created as a template and used in all the pods/deployments/{supported kinds} to change the volume permissions.

Update: As mentioned by @The Fool, it should be working as per the current setup if you are using Kube.netes v1.23 or greater. After v1.23 securityContext.fsGroup and securityContext.fsGroupChangePolicy features went into GA/stable.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question EFS mount on ECS Fargate - Read/write permissions denied for non root user Kubernetes Persistent Volume Mount not found How can I automatically add a kubernetes client secret as a file mount in Terraform? Kubernetes: failed to mount unformatted volume as read only How to give to google function read-write permissions? For the AWS CDK, how can I determine the appropriate IAM policy and permissions to replace a root account? The operation 'uploadBytesResumable' cannot be performed on a root reference, create a non-root reference using child How can I SSH to my GCP Kubernetes cluster? How do I change root volume size of AWS Batch at runtime How can give access to read but not write in firebase firestore settting rules
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM