Kubernetes: how to set VolumeMount user group and file permissions

Question

I'm running a Kubernetes cluster on AWS using kops. I've mounted an EBS volume onto a container and it is visible from my application but it's read only because my application does not run as root. How can I mount a PersistentVolumeClaim as a user other than root? The VolumeMount does not seem to have any options to control the user, group or file permissions of the mounted path.

Here is my Deployment yaml file:

apiVersion: extensions/v1beta1 kind: Deployment metadata:   name: notebook-1 spec:   replicas: 1   template:     metadata:       labels:         app: notebook-1     spec:       volumes:       - name: notebook-1         persistentVolumeClaim:           claimName: notebook-1       containers:       - name: notebook-1         image: jupyter/base-notebook         ports:         - containerPort: 8888         volumeMounts:         - mountPath: "/home/jovyan/work"           name: notebook-1 

Answer 1

The Pod Security Context supports setting an fsGroup, which allows you to set the group ID that owns the volume, and thus who can write to it. The example in the docs:

apiVersion: v1 kind: Pod metadata:   name: hello-world spec:   containers:   # specification of the pod's containers   # ...   securityContext:     fsGroup: 1234 

More info on this is here

Answer 2

I ended up with an initContainer with the same volumeMount as the main container to set proper permissions, in my case, for a custom Grafana image.

This is necessary when a container in a pod is running as a user other than root and needs write permissions on a mounted volume.

initContainers: - name: take-data-dir-ownership   image: alpine:3   # Give `grafana` user (id 472) permissions a mounted volume   # https://github.com/grafana/grafana-docker/blob/master/Dockerfile   command:   - chown   - -R   - 472:472   - /var/lib/grafana   volumeMounts:   - name: data     mountPath: /var/lib/grafana 

• https://kubernetes.io/docs/concepts/workloads/pods/init-containers/