Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Kubernetes: how to set VolumeMount user group and file permissions

Tags:

docker

amazon-web-services

kubernetes

persistent-volume-claims

I'm running a Kubernetes cluster on AWS using kops. I've mounted an EBS volume onto a container and it is visible from my application but it's read only because my application does not run as root. How can I mount a PersistentVolumeClaim as a user other than root? The VolumeMount does not seem to have any options to control the user, group or file permissions of the mounted path.

Here is my Deployment yaml file:

apiVersion: extensions/v1beta1 kind: Deployment metadata:   name: notebook-1 spec:   replicas: 1   template:     metadata:       labels:         app: notebook-1     spec:       volumes:       - name: notebook-1         persistentVolumeClaim:           claimName: notebook-1       containers:       - name: notebook-1         image: jupyter/base-notebook         ports:         - containerPort: 8888         volumeMounts:         - mountPath: "/home/jovyan/work"           name: notebook-1
like image 618
Mikhail Janowski Avatar asked Apr 21 '17 13:04

Mikhail Janowski

People also ask

How do you use emptyDir in Kubernetes?

The emptyDir volume type can be generated by creating a volume first, and then we have to declare the name in the pod. A pod can be created by using the kubectl command in its manifest under the volume property section. The container can be run by using the below command.

2 Answers

The Pod Security Context supports setting an fsGroup, which allows you to set the group ID that owns the volume, and thus who can write to it. The example in the docs:

apiVersion: v1 kind: Pod metadata:   name: hello-world spec:   containers:   # specification of the pod's containers   # ...   securityContext:     fsGroup: 1234

More info on this is here

like image 198
AlexBrand Avatar answered Sep 17 '22 13:09

AlexBrand

I ended up with an initContainer with the same volumeMount as the main container to set proper permissions, in my case, for a custom Grafana image.

This is necessary when a container in a pod is running as a user other than root and needs write permissions on a mounted volume.

initContainers: - name: take-data-dir-ownership   image: alpine:3   # Give `grafana` user (id 472) permissions a mounted volume   # https://github.com/grafana/grafana-docker/blob/master/Dockerfile   command:   - chown   - -R   - 472:472   - /var/lib/grafana   volumeMounts:   - name: data     mountPath: /var/lib/grafana
  • https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
like image 30
sshow Avatar answered Sep 18 '22 13:09

sshow
Sign in to Comment

Related questions

AWS OpsWorks vs AWS Beanstalk vs AWS CloudFormation?
Read file from aws s3 bucket using node fs
How to add SSL certificate to AWS EC2 with the help of new AWS Certificate Manager service
The AWS Access Key Id does not exist in our records
Auto Shutdown and Start Amazon EC2 Instance
Setting CIDR/IP so anyone can access it from any IP?
kubectl error You must be logged in to the server (Unauthorized) when accessing EKS cluster
Using python Logging with AWS Lambda
How to determine if object exists AWS S3 Node.JS sdk
AWS Elastic Beanstalk, running a cronjob
AWS EC2 Auto Scaling Groups: I get Min and Max, but what's Desired instances limit for?
Use terraform to set up a lambda function triggered by a scheduled event source
AWS Lambda: Task timed out
Faster s3 bucket duplication
When to use a boto3 client and when to use a boto3 resource?
Is it possible to rename an AWS Lambda function?
Amazon RDS: Restore snapshot to existing instance
How to Add a Column in DynamoDB
Nodejs - Invoke an AWS.Lambda function from within another lambda function
Difference between AWS Elastic Container Service's (ECS) ExecutionRole and TaskRole

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!