k8s Permission Denied issue

Question

I got that error when deploying a k8s deployment, I tried to impersonate being a root user via the security context but it didn't help, any guess how to solve it? Unfortunately, I don't have any other ideas or a workaround to avoid this permission issue.

The error I get is:

30: line 1: /scripts/wrapper.sh: Permission denied
stream closed

The deployment is as follows:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: cluster-autoscaler-grok-exporter
  labels:
    app: cluster-autoscaler-grok-exporter
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cluster-autoscaler-grok-exporter
      sidecar: cluster-autoscaler-grok-exporter-sidecar
  template:
    metadata:
      labels:
        app: cluster-autoscaler-grok-exporter
        sidecar: cluster-autoscaler-grok-exporter-sidecar
    spec:
      securityContext:
       runAsUser: 1001
       fsGroup: 2000 
      serviceAccountName: flux
      imagePullSecrets:
        - name: id-docker
      containers:
        - name: get-data
          # 3.5.0 - helm v3.5.0, kubectl v1.20.2, alpine 3.12
          image: dtzar/helm-kubectl:3.5.0
          command: ["sh", "-c", "/scripts/wrapper.sh"]
          args:
            - cluster-autoscaler
            - "90"
                  # - cluster-autoscaler
            - "30"
            - /scripts/get_data.sh
            - /logs/data.log
          volumeMounts:
            - name: logs
              mountPath: /logs/
            - name: scripts-volume-get-data
              mountPath: /scripts/get_data.sh
              subPath: get_data.sh
            - name: scripts-wrapper
              mountPath: /scripts/wrapper.sh
              subPath: wrapper.sh
        - name: export-data
          image: ippendigital/grok-exporter:1.0.0.RC3
          imagePullPolicy: Always
          ports:
            - containerPort: 9148
              protocol: TCP
          volumeMounts:
            - name: grok-config-volume
              mountPath: /grok/config.yml
              subPath: config.yml
            - name: logs
              mountPath: /logs
      volumes:
        - name: grok-config-volume
          configMap:
            name: grok-exporter-config
        - name: scripts-volume-get-data
          configMap:
            name: get-data-script
            defaultMode: 0777
            defaultMode: 0700
        - name: scripts-wrapper
          configMap:
            name: wrapper-config
            defaultMode: 0777
            defaultMode: 0700
        - name: logs
          emptyDir: {}
        
---
apiVersion: v1
kind: Service
metadata:
  name: cluster-autoscaler-grok-exporter-sidecar
  labels:
    sidecar: cluster-autoscaler-grok-exporter-sidecar
spec:
  type: ClusterIP
  ports:
    - name: metrics
      protocol: TCP
      targetPort: 9144
      port: 9148
  selector:
    sidecar: cluster-autoscaler-grok-exporter-sidecar
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  labels:
    app.kubernetes.io/name: cluster-autoscaler-grok-exporter
    app.kubernetes.io/part-of: grok-exporter
  name: cluster-autoscaler-grok-exporter
spec:
  endpoints:
    - port: metrics
  selector:
    matchLabels:
      sidecar: cluster-autoscaler-grok-exporter-sidecar

Rakesh Gupta · Accepted Answer

From what I can see, your script does not have execute permissions.

Remove this line from your config map.

defaultMode: 0700

Keep only:

defaultMode: 0777

Also, I see missing leading / in your script path

- /bin/sh scripts/get_data.sh

So, change it to

- /bin/sh /scripts/get_data.sh

k8s Permission Denied issue

Answers (1)

Related Questions