CODEWITHSUNDEEP
kubernetesdocker-volume
Yudi
Yudi

Reputation: 921

Kubernetes : hostPath storage permissions

Problem : Not able to write in the directory inside the container.

I am using hostPath storage for the persistent storage requirements. I am not using PV anc PVC to use hospath, instead of that, using it's volume plugin. for example

{
    "apiVersion": "v1",
    "id": "local-nginx",
    "kind": "Pod",
    "metadata": {
        "name": "local-nginx"
    },
    "spec": {
        "containers": [
             {
                 "name": "local-nginx",
                 "image": "fedora/nginx",
                 "volumeMounts": [
                     {
                         "mountPath": "/usr/share/nginx/html/test",
                         "name": "localvol"
                     }
                 ]
             }
        ],
        "volumes": [
            {
                 "name": "localvol",
                 "hostPath": {
                    "path": "/logs/nginx-logs"
                 }
            }
        ]
    }
}

Note: nginx pod is just for exmaple.

My directory on host is getting created as "drwxr-xr-x. 2 root root 6 Apr 23 18:42 /logs/nginx-logs" and same permissions are reflecting inside the pod, but as it's 755, other user i.e. user inside the pod is not able to write/create file inside the mounted dir.

Questions:

  1. Is there any way out to avoid the problem specified above?

  2. Is there any way to specify the directory permission in case of Hostpath storage?

  3. Is there any field which I can set in the following definition to give the required permission?

"volumes":{
   "name": "vol",
    "hostPath": {
      "path": "/any/path/it/will/be/replaced"}}

Upvotes: 4

Views: 7934

Answers (1)

Ottovsky
Ottovsky

Reputation: 2258

I think the problem you are encountering is not related to the user or group (your pod definition does not have RunAsUser spec, so by default it is run as root), but rather to the SELinux policy. In order to mount a host directory to the pod with rw permissions, it should have the following label: svirt_sandbox_file_t . You can check the current SElinux label with the following command: ls -laZ <your host directory> and change it with chcon -Rt svirt_sandbox_file_t <your host directory>.

Upvotes: 7

Related Questions