Menu
I'm using a nfs mounted volume in my deployments. I need to give it the fsGroup like below:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
Is there a way to make this on the deployment manifest? As I can see on the documentation I can set the securitycontext in the pod yaml only.
764
A security context defines privilege and access control settings for a Pod or Container. Security context settings include, but are not limited to: Discretionary Access Control: Permission to access an object, like a file, is based on user ID (UID) and group ID (GID).
Kubernetes assumes that pods can communicate with other pods, regardless of which host they land on. Kubernetes gives every pod its own cluster-private IP address, so you do not need to explicitly create links between pods or map container ports to host ports.
In a single master setup, the master node manages the etcd database, API server, controller manager and scheduler, along with the worker nodes. However, if that single master node fails, all the worker node fail as well and entire cluster will be lost.
You can use the securityContext in Deployment in the same way you use it inside Pod.
Like it was already suggested by placing it under template.spec:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
labels:
app: test
spec:
replicas: 3
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
securityContext:
runAsUser: 2000
runAsGroup: 3000
fsGroup: 2000
containers:
- name: test
image: busybox
ports:
- containerPort: 80
command: [ "sh", "-c", "sleep 1h" ]
And you can test it:
$ kubectl exec -it test-deployment-54d954d7f-2b582 sh
/ $ ps
PID USER TIME COMMAND
1 2000 0:00 sleep 1h
6 2000 0:00 sh
11 2000 0:00 ps
/ $ whoami
whoami: unknown uid 200
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
