Reputation: 1200
Kubernetes mount volume storage account fails: mount error(13): Permission denied
My AKS cluster and storage account are in the same Region: East US 2.
I have created secret:
kubectl create secret generic fa-fileshare-secret --from-literal=azurestorageaccountname=fastorage --from-literal=azurestorageaccountkey='OWd7e9Ug' secret/fa-fileshare-secret created
In that storage account I have file share: containershare
I have checked in the Configuration of the secret and values are being matched for account name and key (as this is stated in similar questions which did not help me). I think VNET for storage account and AKS cluster are different, and also Subscription and Resource group are different (if relevant.)
When I try to execute deployment for my app, I am getting:
Mounting arguments: -t cifs -o actimeo=30,mfsymlinks,file_mode=0777,dir_mode=0777,
<masked> //fastorage.file.core.windows.net/containershare
/var/lib/kubelet/plugins/kubernetes.io/csi/pv/#fa-fileshare-secret#containershare#ads-volume#default/globalmount
Output: mount error(13): Permission denied
In deployment.yaml definition:
........
volumes:
- name: ads-volume
azureFile:
secretName: fa-fileshare-secret
shareName: containershare
readOnly: false
............
What can be the problem (since different region and wrong credentials are not the issue). I am accessing the cluster through the kubectl from remote windows machine.
Upvotes: 1
Views: 3396
Answers (2)
Reputation: 781
The solution for me was adding a role assignment to the infrastructure resource group, allowing the kubelet identity (agentpool) reading and accessing data storages.
This is the script accordingly:
$kubeletIdentity = az aks show `
--resource-group $resourceGroupAksName `
--name $aksClusterName `
--query identityProfile.kubeletidentity.objectId `
-o tsv
$nodeResourceGroup = az aks show `
--resource-group $resourceGroupAksName `
--name $aksClusterName `
--query "nodeResourceGroup" `
-o tsv
az role assignment create `
--role "Reader and Data Access" `
--assignee-object-id $kubeletIdentity `
--resource-group $nodeResourceGroup
Upvotes: 0
Reputation: 4602
Thank You AndreyS for confirming you resolve your issue. Here is few more additional details that can help to know cause of your issue.
As Per Microsoft Document here is the possible cause for this error Mount error(13): Permission denied
For mounting the storage file share with AKS Cluster(Pod) you should deploy both the resource in same resource group and same region and also to make sure to both resource in same VNET if not then you have to allow access to your AKS VNET in Storage is set to Selected networks, check if the VNET and subnet of the AKS cluster are added.
It may take a few moments for the changes to take effect. After the VNET and subnet are added, check if the pod status changes from ContainerCreating to Running and mounted the File share as well.
Upvotes: 1
Related Questions
- storage class in aks can't chown a directory
- Unable to mount volumes for pod on AKS
- Using azure file storage with kubernetes and azure container service (aks) - permission denied
- Kubernetes Persistent Volume Mount not found
- Azure Kubernetes Service - Persistent Volume / Persistent Volume Claim change permissions
- Kubernetes - "Mount Volume Failed" when trying to deploy
- Cannot mount volume to pod in Kubernetes using Azure file provisioner
- Permissions error when attaching Azure Disk to AKS pod
- write access error for mounted volume on kubernetes
- When mounting a AzureFile K8S volume, I get a "azureMount: SmbGlobalMapping failed" error