Reputation: 53
Azure Kubernetes Service - Persistent Volume / Persistent Volume Claim change permissions
I'm new with Azure infrastructure and I'm trying to deploy Jenkins on AKS and be able to preserve all of my Jenkins data if the container stopped working and I run with a permissions issue for my newly created PVC.
I want to change the permissions for a specific folder and files in the PVC and the "chmod" command looks like running but doesn't do anything and the permissions are still set to 777 instead of my wanted permissions.
I have noticed that the Storage Class default permissions value for dirs and files are 777 but I need some specific files to be with other permissions.
Can I do this or there is any other option to do this?
Upvotes: 2
Views: 568
Answers (1)
Reputation: 5277
I want to change the permissions for a specific folder and files in the PVC and the "chmod" command looks like running but doesn't do anything and the permissions are still set to 777 instead of my wanted permissions.
If you want to configure permissions in Kubernetes, you must use the security context:
A security context defines privilege and access control settings for a Pod or Container. Security context settings include, but are not limited to:
Discretionary Access Control: Permission to access an object, like a file, is based on user ID (UID) and group ID (GID).
Security Enhanced Linux (SELinux): Objects are assigned security labels.
Running as privileged or unprivileged.
Linux Capabilities: Give a process some privileges, but not all the privileges of the root user.
AppArmor: Use program profiles to restrict the capabilities of individual programs.
Seccomp: Filter a process's system calls.
AllowPrivilegeEscalation: Controls whether a process can gain more privileges than its parent process. This bool directly controls whether the
no_new_privsflag gets set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged OR 2) hasCAP_SYS_ADMIN.readOnlyRootFilesystem: Mounts the container's root filesystem as read-only.
The above bullets are not a complete set of security context settings -- please see SecurityContext for a comprehensive list.
For more information about security mechanisms in Linux, see Overview of Linux Kernel Security Features
In your case, if you want to grant permissions for a specific object (e.g. a file), you can use Discretionary Access Control:
Containers that run as root frequently have far more permissions than their workload requires which, in case of compromise, could help an attacker further their attack.
Containers still rely on the traditional Unix security model (called discretionary access control or DAC) - everything is a file, and permissions are granted to users and groups.
You can also configure volume permission and ownership change policy for Pods.
See also:
- Defining Privileges and Access Control Settings for Pods and Containers in Kubernetes
- 11 Ways (Not) to Get Hacked
Upvotes: 1
Related Questions
- Persistent volume isn't matched with a claim
- Persistent Volume Claim Kubernetes
- Persistent Volume Claim for Azure Disk with specific user permissions
- Azure ACS AzureFile Dynamic Persistent Volume Claim
- Kubernetes Persistent Volume Claim Indefinitely in Pending State
- kubernetes persistent volume accessmode
- Error con Pods in Azure k8s (Volume capability not supported)
- Issue with persistent storage in Azure Kubernetes Service using Azure Disk
- Kubernetes AKS Persistent Volume Disk Claims To Multiple Nodes
- AKS Dynamic Persistent Volume Claim using Azure Disk