Kubernetes: How to Set Up User Groups and VolumeMount User Accounts

Question

Kubernetes: How to Set Up User Groups and VolumeMount User Accounts

I am running a Kubernetes cluster on AWS using kops. I connected the EBS volume to the container and it is visible from my application, but it is read only because my application does not start with root privileges. How to mount PersistentVolumeClaimas a non-root user? VolumeMountdoes not seem to have any parameters for managing the rights of the user, group or files of the set path.

Here is my deployment yaml file:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: notebook-1
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: notebook-1
    spec:
      volumes:
      - name: notebook-1
        persistentVolumeClaim:
          claimName: notebook-1
      containers:
      - name: notebook-1
        image: jupyter/base-notebook
        ports:
        - containerPort: 8888
        volumeMounts:
        - mountPath: "/home/jovyan/work"
          name: notebook-1

+29

docker amazon-web-services kubernetes persistent-volume-claims

Mikhail Janowski Apr 21 '17 at 13:44

source share

5 answers

initContainer volumeMount, , Grafana.

initContainers:
- name: take-data-dir-ownership
  image: alpine:3.6
  # Give 'grafana' user (id 472) permissions a mounted volume
  # https://github.com/grafana/grafana-docker/blob/master/Dockerfile
  command:
  - chown
  - -R  
  - 472:472
  - /var/lib/grafana
  volumeMounts:
  - name: data
    mountPath: /var/lib/grafana

https://kubernetes.io/docs/concepts/workloads/pods/init-containers/

, , root, .

+19

sshow 05 . '18 15:47

k8s 1. 10+, fsGroup runAsGroup.

: https://github.com/kubernetes/features/issues/213

+6

Yalok Iy 04 . '18 16:44

/ Kubernetes, root. , root: root. , root , .

, .

groudID Dockerfile.
Dockerfile.
, /.

/Statefulset .

spec:
  securityContext:
    runAsUser: 1099
    runAsGroup: 1099
    fsGroup: 1099

RunAsUser

, 1099

RunAsGroup

1099 . ( , (0), 1099 1099 runAsGroup)

fsGroup

, GroupId 1099, , , nonrootgroup:nonrootgroup.

+1

rajdeepbs29 13 . '19 4:46

, initcontainer

initContainers:
      - command:
        - sh
        - -c
        - chown -R 1000:1000 /usr/share/elasticsearch/data
        - sysctl -w vm.max_map_count=262144
        - chgrp 1000 /usr/share/elasticsearch/data
        image: busybox:1.29.2
        imagePullPolicy: IfNotPresent
        name: set-dir-owner
        resources: {}
        securityContext:
          privileged: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:                         #Volume mount path
        - mountPath: /usr/share/elasticsearch/data
          name: elasticsearch-data

spec:
      containers:
      securityContext:
          privileged: true
          runAsUser: 1000

0

Harsh Manvar Sep 13 '19 at 7:26

source share

AlexBrand · Accepted Answer · 2017-04-21T14:30:25+0000

Pod fsGroup, , , , , . :

apiVersion: v1
kind: Pod
metadata:
  name: hello-world
spec:
  containers:
  # specification of the pod containers
  # ...
  securityContext:
    fsGroup: 1234

here

Kubernetes: How to Set Up User Groups and VolumeMount User Accounts

More articles: