Permissions for Document Files in Kubernetes Pod, with Separate Nginx and FPM Containers

Question

Given a pod running an Nginx container, and a PHP-FPM container, what would be the best practice for the applications document permissions?

At the moment I have a volume shared between the containers so that Nginx has access to the PHP files. This works, but the files are owned by the user www-data in the FPM container, which does not exist in the Nginx container, resulting in them being owned by whichever user has the same UID.

This is obviously wrong, but then what's right? Options I've considered so far:

• Files are owned by nobody:nogroup
• Make a copy of the files for Nginx, and assign ownership to the nginx user in that container
• Align the UIDs
• Run both Nginx and FPM in the same container

None of these seem appealing.

Answer 1

This is a case for Security Context in kubernetes, where you can specify uid,gid or supplementary gid (fsgroup) for your pods.

For example setting:

spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000

Will make you progress run as user 1000, with primary group 3000 and supplementary group 2000.

You haven't specified if you need both pods to edit files in that volume, if that's not the case - only adding fsGroup should be enough to give read-only rights (by default) to your files, without affecting your existing workloads in any meaningful way.

Otherwise you can force same UID's, but that might require you to reconfigure your applications

See also: Kubernetes: how to correctly set php-fpm and nginx shared volume permission