Kubernetes: how to set VolumeMount user group and file permissions

docker amazon-web-services kubernetes persistent-volume-claims

Solution 1:

The Pod Security Context supports setting an fsGroup, which allows you to set the group ID that owns the volume, and thus who can write to it. The example in the docs:

apiVersion: v1
kind: Pod
metadata:
  name: hello-world
spec:
  containers:
  # specification of the pod's containers
  # ...
  securityContext:
    fsGroup: 1234

More info on this is here

Solution 2:

I ended up with an initContainer with the same volumeMount as the main container to set proper permissions, in my case, for a custom Grafana image.

This is necessary when a container in a pod is running as a user other than root and needs write permissions on a mounted volume.

initContainers:
- name: take-data-dir-ownership
  image: alpine:3
  # Give `grafana` user (id 472) permissions a mounted volume
  # https://github.com/grafana/grafana-docker/blob/master/Dockerfile
  command:
  - chown
  - -R
  - 472:472
  - /var/lib/grafana
  volumeMounts:
  - name: data
    mountPath: /var/lib/grafana
  • https://kubernetes.io/docs/concepts/workloads/pods/init-containers/

Solution 3:

This came as one of the challenges for the Kubernetes Deployments/StatefulSets, when you have to run process inside a container as non-root user. But, when you mount a volume to a pod, it always gets mounted with the permission of root:root.

So, the non-root user must have access to the folder where it wants to read and write data.

Please follow the below steps for the same.

  1. Create user group and assign group ID in Dockerfile.
  2. Create user with user ID and add to the group in Dockerfile.
  3. change ownership recursively for the folders the user process wants to read/write.

  4. Add the below lines in Deployment/StatefulSet in pod spec context.

    spec:
  securityContext:
    runAsUser: 1099
    runAsGroup: 1099
    fsGroup: 1099

runAsUser

Specifies that for any Containers in the Pod, all processes run with user ID 1099.

runAsGroup

Specifies the primary group ID of 1099 for all processes within any containers of the Pod.

If this field is omitted, the primary group ID of the containers will be root(0).

Any files created will also be owned by user 1099 and group 1099 when runAsGroup is specified.

fsGroup

Specifies the owner of any volume attached will be owner by group ID 1099.

Any files created under it will be having permission of nonrootgroup:nonrootgroup.

Related

'ConditionSet' object is not iterable for a in A
Importing CSV from URL that has line breaks within one of the fields
Public and private methods in Python [duplicate]
Logging different python files in the same file
Is there a way to draw a fixed rectangle on a JScrollPane? [duplicate]
When I write my own strchr function, there is a part in the return step that I don't understand
Typescript check type against enum
How do i edit java code whilst the app is running like notch does in eclipse? [duplicate]
How can I add prefixes to ordered list item numbers in email?
How can i make it so i don't need an onclick function in my html and the function is called in the js file [duplicate]
Do I get billed when an Azure App Service app didn't get any request the last 30 minutes or when not accessed for several hours?
Should we use SSG for deploying a dashboard created using Nuxt.js?